Geocall – v. 6.3 (Build < 2:346977) Multiple Vulnerabilities

 

09-01-2019

Incorrect Access Control

Affected Products and Versions: Geocall – v. 6.3 (Build < 2:346977)

CVE: CVE-2019-5891

Executive Summary
A critical vulnerability was discovered in Geocall v 6.3, the unauthenticated servlet allows the attacker to obtain cookie of the authenticated users and login to the web application.

Remediation: Upgrade to Build 2:346977

Timeline:
23/10/2018 – Initial vendor contact

23/10/2018 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure

08/01/2019 – Vendor released a fixed version

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5891

Discoverer: Claudio Cinquino

Insecure Permission

Affected Products and Versions: Geocall – v. 6.3 (Build < 2:346977)

CVE: CVE-2019-5890

Executive Summary
A critical vulnerability was discovered in Geocall v 6.3, the Weak authentication and session management allows the authenticated user to obtain access to Administrative control panel and execute administrative functions.

Remediation: Upgrade to Build 2:346977

Timeline:
23/10/2018 – Initial vendor contact

23/10/2018 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure

08/01/2019 – Vendor released a fixed version

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5890

Discoverer: Claudio Cinquino

Cross Site Scripting (XSS)

Affected Products and Versions: Geocall – v. 6.3 (Build < 2:346977)

CVE: CVE-2019-5888

Executive Summary
A critical vulnerability was discovered in Geocall v 6.3, Multiple XSS Vulnerabilities Reflected and Stored.

Remediation: Upgrade to Build 2:346977

Timeline:
23/10/2018 – Initial vendor contact

23/10/2018 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure

08/01/2019 – Vendor released a fixed version

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5888

Discoverer: Claudio Cinquino

Directory Trasversal

Affected Products and Versions: Geocall – v. 6.3 (Build < 2:346977)

CVE: CVE-2019-5889

Executive Summary
A critical vulnerability was discovered in Geocall v 6.3, a Directory traversal vulnerability has been found in the log management

Remediation: Upgrade to Build 2:346977

Timeline:
23/10/2018 – Initial vendor contact

23/10/2018 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure

08/01/2019 – Vendor released a fixed version

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5889

Discoverer: Claudio Cinquino