Mutare Security Advisory
Advisory ID | MUTARE-2021-003 |
Severity | High |
CVE | CVE-2021-27235 |
Published Date | February 5, 2021 |
Revision Date | February 16, 2021 |
Overview
Utility allows extract of data tables.
Affected Products/Versions
Mutare Voice (EVM), 3.2.6 – 3.3.7
Vulnerability Details
On the admin portal of the Mutare Voice (EVM) web application, there is a functionality at diagzip.asp which allows anyone to export tables of database specified between mentioned dates while putting in any arbitrary e-mail address.
Workarounds
The getfile.asp file can be removed from the application.
Solution
Upgrading Mutare Voice (EVM) to release 3.3.8 fixes the vulnerability by removing this utility.
References
None
Acknowledgements
Mutare would like to thank Tesla for reporting this issue and working with Mutare to help protect our customers.