Vulnerabilities (CVE)

Filtered by vendor Goautodial Subscribe
Total 6 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-43176 1 Goautodial 2 Goautodial, Goautodial Api 2024-02-04 6.5 MEDIUM 8.8 HIGH
The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 takes a user-supplied “action” parameter and appends a .php file extension to locate and load the correct PHP file to implement the API call. Vulnerable versions of GOautodial do not sanitize the user input that specifies the action. This permits an attacker to execute any PHP source file with a .php extension that is present on the disk and readable by the GOautodial web server process. Combined with CVE-2021-43175, it is possible for the attacker to do this without valid credentials. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CVE-2021-43175 1 Goautodial 2 Goautodial, Goautodial Api 2024-02-04 5.0 MEDIUM 7.5 HIGH
The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
CVE-2015-2845 1 Goautodial 1 Goadmin Ce 2024-02-04 10.0 HIGH N/A
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800 allows remote attackers to execute arbitrary commands via the $type portion of the PATH_INFO.
CVE-2015-2842 1 Goautodial 1 Goadmin Ce 2024-02-04 10.0 HIGH N/A
Unrestricted file upload vulnerability in go_audiostore.php in the audiostore (Voice Files) upload functionality in GoAutoDial GoAdmin CE 3.x before 3.3-1421902800 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in sounds/.
CVE-2015-2844 1 Goautodial 1 Goadmin Ce 2024-02-04 10.0 HIGH N/A
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1420434000 allows remote attackers to execute arbitrary commands via the $action portion of the PATH_INFO.
CVE-2015-2843 1 Goautodial 1 Goadmin Ce 2024-02-04 7.5 HIGH N/A
Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800 allow remote attackers to execute arbitrary SQL commands via the (1) user_name or (2) user_pass parameter in go_login.php or the PATH_INFO to (3) go_login/validate_credentials/admin/ or (4) index.php/go_site/go_get_user_info/.