Vicidial svn 3454 (CVE-2021-35377) security notice from 2021

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Vicidial svn 3454 (CVE-2021-35377) security notice from 2021

Postby mflorell » Wed Mar 01, 2023 9:40 am

On June 15, 2021, security researcher Carlos Baeza Sanhueza reported multiple
reflected Cross-Site Scripting (XSS) vulnerabilities discovered in the login and
administration portal. Upon request, we have assigned a vulnerability identifier of
CVE-2021-35377.

Although the Vicidial development team released a new update in "svn/trunk rev
3455" in 2021, it is strongly recommended that the product be updated to the latest
available version.

Affected versions
2.9-401c BUILD: 140612-1626
2.10-415c CONSTRUCTION: 140918-1606
2.14-597c CONSTRUCTION: 191114-0949
2.14-610c CONSTRUCTION: 200528-2239

The affected versions are vulnerable to reflected XSS due to lack of proper
sanitization and escaping in the KHOMP_admin.php, vicidial-grey.php and
vicidial.php parameters. A cybercriminal can exploit this vulnerability to inject
JavaScript code to manipulate the page. Even an inexperienced attacker could trick
a site administrator into unknowingly exposing cookie values.
It is therefore critical that users update their product versions to ensure the security
of their website and protect against potential attacks.
mflorell
Site Admin
 
Posts: 18335
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 62 guests