Mutare Security Advisory

Advisory IDMUTARE-2021-003
SeverityHigh
CVECVE-2021-27235
Published DateFebruary 5, 2021
Revision DateFebruary 16, 2021

Overview

Utility allows extract of data tables.

Affected Products/Versions

Mutare Voice (EVM), 3.2.6 – 3.3.7

Vulnerability Details

On the admin portal of the Mutare Voice (EVM) web application, there is a functionality at diagzip.asp which allows anyone to export tables of database specified between mentioned dates while putting in any arbitrary e-mail address.

Workarounds

The getfile.asp file can be removed from the application.

Solution

Upgrading Mutare Voice (EVM) to release 3.3.8 fixes the vulnerability by removing this utility.

References

None

Acknowledgements

Mutare would like to thank Tesla for reporting this issue and working with Mutare to help protect our customers.