Vicidial svn 3454 (CVE-2021-35377) security notice from 2021
Posted: Wed Mar 01, 2023 9:40 am
On June 15, 2021, security researcher Carlos Baeza Sanhueza reported multiple
reflected Cross-Site Scripting (XSS) vulnerabilities discovered in the login and
administration portal. Upon request, we have assigned a vulnerability identifier of
CVE-2021-35377.
Although the Vicidial development team released a new update in "svn/trunk rev
3455" in 2021, it is strongly recommended that the product be updated to the latest
available version.
Affected versions
2.9-401c BUILD: 140612-1626
2.10-415c CONSTRUCTION: 140918-1606
2.14-597c CONSTRUCTION: 191114-0949
2.14-610c CONSTRUCTION: 200528-2239
The affected versions are vulnerable to reflected XSS due to lack of proper
sanitization and escaping in the KHOMP_admin.php, vicidial-grey.php and
vicidial.php parameters. A cybercriminal can exploit this vulnerability to inject
JavaScript code to manipulate the page. Even an inexperienced attacker could trick
a site administrator into unknowingly exposing cookie values.
It is therefore critical that users update their product versions to ensure the security
of their website and protect against potential attacks.
reflected Cross-Site Scripting (XSS) vulnerabilities discovered in the login and
administration portal. Upon request, we have assigned a vulnerability identifier of
CVE-2021-35377.
Although the Vicidial development team released a new update in "svn/trunk rev
3455" in 2021, it is strongly recommended that the product be updated to the latest
available version.
Affected versions
2.9-401c BUILD: 140612-1626
2.10-415c CONSTRUCTION: 140918-1606
2.14-597c CONSTRUCTION: 191114-0949
2.14-610c CONSTRUCTION: 200528-2239
The affected versions are vulnerable to reflected XSS due to lack of proper
sanitization and escaping in the KHOMP_admin.php, vicidial-grey.php and
vicidial.php parameters. A cybercriminal can exploit this vulnerability to inject
JavaScript code to manipulate the page. Even an inexperienced attacker could trick
a site administrator into unknowingly exposing cookie values.
It is therefore critical that users update their product versions to ensure the security
of their website and protect against potential attacks.