![solvnet synopsys com solvnet synopsys com](https://www.synopsys.com/blogs/software-security/wp-content/uploads/2019/05/iast-webinar.jpg)
![solvnet synopsys com solvnet synopsys com](https://image.slidesharecdn.com/leaderstracklunchanurafernando12-150916222451-lva1-app6891/95/securing-the-fog-26-638.jpg)
This would allow them to gain complete control over the GOautodial application on the server, steal the data from fellow employees and customers, and even rewrite the application to introduce malicious behavior such as stealing passwords or spoofing communications (sending messages or emails that look like they come from someone else). The second issue (CVE-2021-43176: Local file inclusion with path traversal) allows any authenticated user at any level, including contact center employees, to perform remote code execution. This data could then be used to connect to other related systems on the network such as VoIP phones or services. This vulnerability allows any attacker with access to the internal network hosting GOautodial to steal sensitive configuration data such as default passwords from the GOautodial server, without needing any credentials such as a username or password. The first issue (CVE-2021-43175: Broken authentication) falls under the A01 Broken Access Control category on the OWASP Top 10 list. The vulnerabilities discovered can be exploited remotely to read system settings without authentication and allow arbitrary code execution by any authenticated user via unrestricted file upload. The suite, which has 50,000 users in call centers around the world, is open source and freely available to download, and it is also available as a paid cloud service from multiple providers.
#SOLVNET SYNOPSYS COM SOFTWARE#
Synopsys Cybersecurity Research Center (CyRC) research has discovered multiple vulnerabilities in the all-in-one call center software suite GOautodial. Broken authentication and local file inclusion leads to information disclosure and remote code execution in the GOautodial API.