Overview
The Mutare Software Enabled VoiceMail (EVM) system web interface is susceptible to cross-site request forgery and cross-site scripting attacks.
Description
The Mutare Software Enabled VoiceMail (EVM) system web interface allows the user to change their Enabled VoiceMail (EVM) PIN, delete their voice messages, and add or modify their email delivery address for voicemails. These HTTP requests do not perform proper validity checks and are susceptible to cross-site request forgery and cross-site scripting attacks. |
Impact
An attacker can change a user's Enabled VoiceMail (EVM) PIN, delete their voice messages, and add or modify their email delivery address for voicemails, if able to trick a user into visiting a specially crafted link. |
Solution
We are currently unaware of a practical solution to this problem. |
Restrict access |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Travis Lee for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
| CVE IDs: | None |
| Severity Metric: | 2.16 |
| Date Public: | 2011-02-23 |
| Date First Published: | 2011-02-23 |
| Date Last Updated: | 2011-02-23 14:19 UTC |
| Document Revision: | 16 |