PT-2021-23761 · Unknown · Goautodial

Scott Tolley

Published

2021-12-07

Updated

2021-12-09

CVE-2021-43176

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions GOautodial versions prior to commit 3c3a979

Description The issue allows an attacker to execute any PHP source file with a .php extension that is present on the disk and readable by the GOautodial web server process. This is possible because the action parameter is not sanitized, permitting the execution of arbitrary PHP files.

Recommendations For versions prior to commit 3c3a979, update to a version that includes the commit 3c3a979 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive PHP files to minimize the risk of exploitation.

Exploit

Fix

Relative Path Traversal

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-23CWE-22

Related Identifiers

CVE-2021-43176

Affected Products

Goautodial

PT-2021-23761 · Unknown · Goautodial

CVE-2021-43176

Weakness Enumeration

Related Identifiers

Affected Products

References · 4