Mutare Security Advisory

Advisory ID MUTARE-2021-005
Severity Medium
CVE TBD
Published Date February 5, 2021
Revision Date February 15, 2021

Overview

Cross-site scripting (XSS) vulnerability in admin.asp page.

Affected Products/Versions

Mutare Voice (EVM), 3.0.0-3.3.7

Vulnerability Details

On the admin portal of the Mutare Voice (EVM) web application, the admin.asp page has an XSS vulnerability. One can add a User on /admin.asp with Full Name “><video><source onerror=eval(alert(1))>. This can be used to steal any user’s session since session cookies are not set with the HTTP only flag.

Workarounds

Affected pages are admin-facing and could be removed from user-facing implementations until the system could be patched.

Solution

Upgrading Mutare Voice (EVM) to release 3.3.8 fixes the vulnerability by obfuscating the external password values via the web portal.

References

Acknowledgements

Mutare would like to thank Tesla for reporting this issue and working with Mutare to help protect our customers.