Vulnerabilities Found in GOautodial
A cybersecurity researcher has discovered multiple vulnerabilities in an open-source call center software suite used around the world.
The Synopsys Cybersecurity Research Center (CyRC) released an advisory today exposing two API vulnerabilities in GOautodial. While multiple providers sell GOautodial as a paid-for cloud service, it is available as a free download.
"The vulnerabilities discovered can be exploited remotely to read system settings without authentication and allow arbitrary code execution by any authenticated user via unrestricted file upload," wrote researchers in the GOautodial advisory.
Among the vulnerabilities unearthed by Synopsys is the broken authentication flaw CVE-2021-43175, which allows attackers with access to the internal network hosting GOautodial to steal sensitive configuration data, such as default passwords, from the GOautodial server without credentials.
Using this data, a threat actor could connect to other related systems on the network, such as VoIP phones.
Another newly found flaw is CVE-2021-43176, which allows any authenticated user at any level to perform remote code execution.
"This would allow them to gain complete control over the GOautodial application on the server, steal the data from fellow employees and customers, and even rewrite the application to introduce malicious behavior such as stealing passwords or spoofing communications (sending messages or emails that look like they