A cybersecurity researcher uncovered many flaws in an open-source contact centre software package that is widely used throughout the world.
Today, the Synopsys Cybersecurity Research Center (CyRC) issued a warning revealing two API vulnerabilities in GOautodial. While GOautodial is sold as a premium cloud service by several operators, it is also accessible as a free download.
“The observed vulnerabilities may be remotely exploited to retrieve system settings without authentication and allow arbitrary code execution by any authorised user via unlimited file upload,” researchers stated in their GOautodial alert.
The broken authentication hole CVE-2021-43175, discovered by Synopsys, allows attackers with access to the internal network hosting GOautodial to take sensitive configuration data, such as default passwords, from the GOautodial server without credentials.
Using this information, a threat actor may connect to other network-related systems, such as VoIP phones.
CVE-2021-43176 is another recently discovered weakness that allows any authorised user at any level to achieve remote code execution.
“This would allow them to gain complete control over the GOautodial application on the server, steal data from fellow employees and customers, and even rewrite the application to introduce malicious behaviour such as password stealing or spoofing communications (sending messages or emails that appear to come from someone else),” CyRC warned.
Versions of the GOautodial API that were produced prior to September 27, 2021 are vulnerable, including the most recent publicly accessible ISO installation, GOautodial-4-x86 64-Final-20191010-0150.iso.
Scott Tolley, a Synopsys Cybersecurity Research Center researcher, identified the vulnerabilities while using the interactive application security testing (IAST) programme Seeker, which automatically tests for security vulnerabilities across the software development life cycle (SDLC).
On September 22, Tolley disclosed the vulnerabilities to GOautodial for the first time. On October 20, the firm responded, stating that the vulnerabilities had been addressed.
Synopsys certified the remedy by November 17, after which it issued an alert on the vulnerabilities earlier today.
CVE-2021-33177, CVE-2021-33178, and CVE-2021-33179, which are SQL injection, path traversal, and XSS vulnerabilities in the popular application, service, and network monitoring programme Nagios XI, were also found by Tolley.