Mutare Security Advisory

Advisory ID MUTARE-2021-003
Severity High
CVE CVE-2021-27235
Published Date February 5, 2021
Revision Date February 16, 2021

Overview

Utility allows extract of data tables.

Affected Products/Versions

Mutare Voice (EVM), 3.2.6 – 3.3.7

Vulnerability Details

On the admin portal of the Mutare Voice (EVM) web application, there is a functionality at diagzip.asp which allows anyone to export tables of database specified between mentioned dates while putting in any arbitrary e-mail address.

Workarounds

The getfile.asp file can be removed from the application.

Solution

Upgrading Mutare Voice (EVM) to release 3.3.8 fixes the vulnerability by removing this utility.

References

None

Acknowledgements

Mutare would like to thank Tesla for reporting this issue and working with Mutare to help protect our customers.