Mutare Security Advisory

Advisory IDMUTARE-2021-002
SeverityCritical
CVECVE-2021-27234
Published DateFebruary 5, 2021
Revision DateFebruary 16, 2021

Overview

SQL Injection

Affected Products/Versions

Mutare Voice (EVM), 3.0.0-3.3.7

Vulnerability Details

The Mutare Voice (EVM) web application suffers from SQL injection on several pages:

  • Adminlog.asp
  • Archivemsgs.asp
  • Deletelog.asp
  • Eventlog.asp
  • Evmlog.asp

The parameters in the pages are vulnerable to SQL injection. Both UNION and Stacked query injections are possible, allowing for full read/write access on the backed databases.

Workarounds

Affected pages are admin-facing and could be removed from user-facing implementations until the system could be patched.

Solution

Upgrading Mutare Voice (EVM) to release 3.3.8 fixes the vulnerability by utilizing prepared statements.

References

Acknowledgements

Mutare would like to thank Tesla for reporting this issue and working with Mutare to help protect our customers.