Mutare Security Advisory
|Published Date||February 5, 2021|
|Revision Date||February 16, 2021|
Utility allows extract of data tables.
Mutare Voice (EVM), 3.2.6 – 3.3.7
On the admin portal of the Mutare Voice (EVM) web application, there is a functionality at diagzip.asp which allows anyone to export tables of database specified between mentioned dates while putting in any arbitrary e-mail address.
The getfile.asp file can be removed from the application.
Upgrading Mutare Voice (EVM) to release 3.3.8 fixes the vulnerability by removing this utility.
Mutare would like to thank Tesla for reporting this issue and working with Mutare to help protect our customers.