On June 15, 2021, security researcher Carlos Baeza Sanhueza reported multiple
reflected Cross-Site Scripting (XSS) vulnerabilities discovered in the login and
administration portal. Upon request, we have assigned a vulnerability identifier of
CVE-2021-35377.
Although the Vicidial development team released a new update in "svn/trunk rev
3455" in 2021, it is strongly recommended that the product be updated to the latest
available version.
Affected versions
2.9-401c BUILD: 140612-1626
2.10-415c CONSTRUCTION: 140918-1606
2.14-597c CONSTRUCTION: 191114-0949
2.14-610c CONSTRUCTION: 200528-2239
The affected versions are vulnerable to reflected XSS due to lack of proper
sanitization and escaping in the KHOMP_admin.php, vicidial-grey.php and
vicidial.php parameters. A cybercriminal can exploit this vulnerability to inject
JavaScript code to manipulate the page. Even an inexperienced attacker could trick
a site administrator into unknowingly exposing cookie values.
It is therefore critical that users update their product versions to ensure the security
of their website and protect against potential attacks.