A vulnerability in the ShoreTel platform (CVE-2018-12901) could allow an attacker to create a specially crafted URL that gives them the ability to execute arbitrary code in a victim’s browser if the victim clicks the link. This issue was discovered by Harrison Coale of Secureworks® during a penetration test against a client.

https://www.secureworks.com/research/advisory-2018-001