• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • Geocall – v. 6.3 (Build < 2:346977) Multiple Vulnerabilities

    09-01-2019

    Incorrect Access Control

    Affected Products and Versions: Geocall – v. 6.3 (Build < 2:346977)

    CVE: CVE-2019-5891

    Executive Summary
    A critical vulnerability was discovered in Geocall v 6.3, the unauthenticated servlet allows the attacker to obtain cookie of the authenticated users and login to the web application.

    Remediation: Upgrade to Build 2:346977

    Timeline:
    23/10/2018 – Initial vendor contact

    23/10/2018 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure

    08/01/2019 – Vendor released a fixed version

    References

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5891

    Discoverer: Claudio Cinquino

    Insecure Permission

    Affected Products and Versions: Geocall – v. 6.3 (Build < 2:346977)

    CVE: CVE-2019-5890

    Executive Summary
    A critical vulnerability was discovered in Geocall v 6.3, the Weak authentication and session management allows the authenticated user to obtain access to Administrative control panel and execute administrative functions.

    Remediation: Upgrade to Build 2:346977

    Timeline:
    23/10/2018 – Initial vendor contact

    23/10/2018 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure

    08/01/2019 – Vendor released a fixed version

    References

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5890

    Discoverer: Claudio Cinquino

    Cross Site Scripting (XSS)

    Affected Products and Versions: Geocall – v. 6.3 (Build < 2:346977)

    CVE: CVE-2019-5888

    Executive Summary
    A critical vulnerability was discovered in Geocall v 6.3, Multiple XSS Vulnerabilities Reflected and Stored.

    Remediation: Upgrade to Build 2:346977

    Timeline:
    23/10/2018 – Initial vendor contact

    23/10/2018 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure

    08/01/2019 – Vendor released a fixed version

    References

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5888

    Discoverer: Claudio Cinquino

    Directory Trasversal

    Affected Products and Versions: Geocall – v. 6.3 (Build < 2:346977)

    CVE: CVE-2019-5889

    Executive Summary
    A critical vulnerability was discovered in Geocall v 6.3, a Directory traversal vulnerability has been found in the log management

    Remediation: Upgrade to Build 2:346977

    Timeline:
    23/10/2018 – Initial vendor contact

    23/10/2018 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure

    08/01/2019 – Vendor released a fixed version

    References

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5889

    Discoverer: Claudio Cinquino