CVE-2020-37018
Description
GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. Attackers can craft messages with embedded JavaScript that will execute when an administrator reads the message, potentially stealing session cookies or executing client-side attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GOautodial 4.0 has a persistent XSS vulnerability where authenticated agents can inject JavaScript in message subjects, executing when an administrator reads the message.
Vulnerability
Description GOautodial 4.0 contains a persistent cross-site scripting (XSS) vulnerability (CWE-79) in its internal messaging system. Message subjects are not properly sanitized before being displayed, allowing injection of arbitrary scripts [2].
Exploitation
An authenticated agent can craft a message with a malicious subject line containing JavaScript. When the administrator (e.g., 'goadmin') reads the message, the script executes in the context of the administrator's session [3]. No special network position is required beyond access to the application.
Impact
Successful exploitation can lead to session cookie theft, enabling account takeover, or other client-side attacks performed within the administrator's browser session [2].
Mitigation
The vendor has acknowledged the issue and states that a fix is available in their GitHub repository [1]. Users are advised to update to the latest version from the repository to remediate the vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.