|Published Date||February 5, 2021|
|Revision Date||February 15, 2021|
On the admin portal of the Mutare Voice (EVM) web application, the admin.asp page has an XSS vulnerability. One can add a User on /admin.asp with Full Name “><video><source onerror=eval(alert(1))>. This can be used to steal any user’s session since session cookies are not set with the HTTP only flag.
Mutare would like to thank Tesla for reporting this issue and working with Mutare to help protect our customers.