Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label GOautodial. Show all posts

Multiple Flaws Detected in GOautodial

 

Several vulnerabilities have been uncovered in an open-source call centre software suite that is used all around the world, as per a cybersecurity researcher. 

The Synopsys Cybersecurity Research Center (CyRC) issued a warning disclosing two GOautodial API vulnerabilities. While GOautodial is sold as a paid cloud service by a variety of providers, it is available as a free download. 

Researchers in the GOautodial advisory stated, "The vulnerabilities discovered can be exploited remotely to read system settings without authentication and allow arbitrary code execution by any authenticated user via an unrestricted file upload." 

One of the vulnerabilities discovered by Synopsys is the broken authentication issue CVE-2021-43175, which enables attackers with access to the internal network hosting GOautodial to obtain sensitive configuration information, such as default passwords, from the GOautodial server without credentials. A threat actor could use this information to link to other systems on the network, such as VoIP phones. 

CVE-2021-43176 is another recently discovered flaw that lets any authorised user at any level conduct remote code execution. 

CyRC alerted, "This would allow them to gain complete control over the GOautodial application on the server, steal the data from fellow employees and customers, and even rewrite the application to introduce malicious behaviour such as stealing passwords or spoofing communications (sending messages or emails that look like they come from someone else)." 

Vulnerable versions of the GOautodial API comprises the latest publicly available ISO installer, GOautodial-4-x86 64-Final-20191010-0150.iso, which was created before September 27, 2021. 

The vulnerabilities were discovered by Scott Tolley of the Synopsys Cybersecurity Research Center using the interactive application security testing (IAST) tool Seeker, which automatically tests for security vulnerabilities throughout the software development life cycle (SDLC). 

On September 22, Tolley revealed the vulnerabilities to GOautodial for the first time. On October 20, the firm responded, claiming that the flaws had been addressed. Synopsys validated the patch by November 17 and issued a security advisory about the flaws. 

CVE-2021-33177, CVE-2021-33178, and CVE-2021-33179 are SQL injection, path traversal, and XSS vulnerabilities in the popular application, service, and network monitoring software Nagios XI, respectively, identified by bug-hunter Tolley.