GOautodial, an open-source call center software suite with 50,000 customers worldwide, has addressed two vulnerabilities that might result in data leakage and remote code execution (RCE). The initial problem, dubbed CVE-2021-43175, was discovered by Scott Tolley of the Synopsys Cybersecurity Research Center (CyRC).
An API router takes a login, password, and action and redirects it to other PHP files that implement API operations. However, vulnerable versions of GOautodial erroneously verify the username and password, enabling the caller to authenticate with any value for these fields.
Another flaw, CVE-2021-43176, lets any authorized user at any level acquire total control over the GOautodial program on the server by enabling remote code execution. It has a high severity rating because it allows an attacker to steal data from coworkers and customers, as well as modify the program to incorporate harmful behavior.
Tolley said that the second flaw, remote code execution, lets any regular user of the program, such as a single call center employee, do pretty much whatever they want, including deleting all data, stealing all data, intercepting passwords, and falsifying communications. It means that any user at any level, or an attacker who acquires access to such a user’s account, might jeopardize the call center’s integrity.
According to researchers, versions of the GOautodial API from or before commit b951651 on September 27, 2021, including the latest publicly accessible ISO installation GOautodial-4-x86 64-Final-20191010-0150.iso, appear to be susceptible.
On September 22, Tolley informed GOautodial of the vulnerabilities, which were resolved on October 20. On November 17, Synopsys confirmed the patch, and Synopsis issued an advisory on December 7. He also revealed that the disclosure procedure with the GOautodial team went smoothly and that both vulnerabilities were swiftly addressed.