CVE-2021-43175 Information

Description

The GOautodial API prior to commit 3c3a979 made on October 13th 2021 exposes an API router that accepts a username password and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://www.synopsys.com/blogs/software-security/cyrc-advisory-goautodial-vulnerabilities

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5