GOautodial, an open source call center software suite with 50,000 users around the world, has patched two vulnerabilities that could lead to information disclosure and remote code execution (RCE).
Unearthed by Scott Tolley of the Synopsys Cybersecurity Research Center (CyRC), the first bug – tracked as CVE-2021-43175 – has been rated medium severity.
An API router accepts a username, password, and action that routes to other PHP files that implement the various API functions.
However, vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate.
This allows the caller to name and call a second PHP file without having any valid credentials for the GOautodial system.