GOautodial, an open source call center software suite with 50,000 users around the world, has patched two vulnerabilities that could lead to information disclosure and remote code execution (RCE).
Unearthed by Scott Tolley of the Synopsys Cybersecurity Research Center (CyRC), the first bug – tracked as CVE-2021-43175 – has been rated medium severity.
An API router accepts a username, password, and action that routes to other PHP files that implement the various API functions.
However, vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate.
This allows the caller to name and call a second PHP file without having any valid credentials for the GOautodial system.
 
Source: https://portswigger.net/daily-swig/goautodial-vulnerabilities-put-call-center-network-security-on-the-line
The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY
Follow Us
© 2015 – 2019 IT Security Guru – Website Managed by Calm Logic
© 2015 – 2019 IT Security Guru – Website Managed by Calm Logic
This site uses functional cookies and external scripts to improve your experience.
Privacy Settings / PENDING
This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.
NOTE: These settings will only apply to the browser and device you are currently using.
GDPR Compliance

source

You May Also Like

Conti ransomware group spent millions in 2021

The prolific Conti ransomware collective spent millions on salaries, tools and services…

New ransomware threatens to wipe Windows PCs

A relatively new Ransomware, LokiLocker, uses the standard extortion-through-encryption racket but also…

Edgescan partners with Manicode to revolutionise secure coding courses

Edgescan, the provider of the most comprehensive fullstack vulnerability management solution, today…