Mutare Security Advisory
| Advisory ID | MUTARE-2021-002 |
| Severity | Critical |
| CVE | CVE-2021-27234 |
| Published Date | February 5, 2021 |
| Revision Date | February 16, 2021 |
Overview
SQL Injection
Affected Products/Versions
Mutare Voice (EVM), 3.0.0-3.3.7
Vulnerability Details
The Mutare Voice (EVM) web application suffers from SQL injection on several pages:
- Adminlog.asp
- Archivemsgs.asp
- Deletelog.asp
- Eventlog.asp
- Evmlog.asp
The parameters in the pages are vulnerable to SQL injection. Both UNION and Stacked query injections are possible, allowing for full read/write access on the backed databases.
Workarounds
Affected pages are admin-facing and could be removed from user-facing implementations until the system could be patched.
Solution
Upgrading Mutare Voice (EVM) to release 3.3.8 fixes the vulnerability by utilizing prepared statements.
References
Acknowledgements
Mutare would like to thank Tesla for reporting this issue and working with Mutare to help protect our customers.