#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  MobiCall
# Vendor:   New Voice
# CSNC ID:  CSNC-2022-005
# Subject:  Cross-Site Scripting
# Severity: Medium
# Effect:   Cross-Site Scripting
# Author:   Adrian Kress <adrian.kress@compass-security.com>
# Date:     2022-04-01
#
#############################################################


Introduction
------------

MobiCall offers a centralized software management platform that enables 
organizations to integrate their existing communication infrastructure 
(voice, text and video) with existing 3rd party systems. This will provide a 
single platform which will allow detection and centralization of all events 
and alarms ensuring an efficient and pre-determined response to any circumstance. 
MobiCall enables the automation of processes, ensuring the most effective 
response to reduce risk. [1]

In a customer project, we managed to inject malicious JavaScript code via the URL 
on the login page of MobiCall. Since MobiCall (version 11.0.6) does not implement 
any encoding for this output, this leads to cross-site scripting.


Technical Description
---------------------

An attacker can send the following URL as a link to a victim:
https://vulnerable_mobicall_host/login.php?"><script>alert(1)</script>

When the victim clicks on the link, the malicious JavaScript code is executed. 
Since the code is executed directly on the login page, this can be used to 
redirect the victim to a phishing page or steal their credentials.


Vulnerability Classification
----------------------------

CVSS v3.1 Metrics [2]:
- CVSS Base Score: 6.1 (Medium)
- CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N


Workaround / Fix
----------------

Upgrade MobiCall version 11.0.6.


Timeline
--------

2022-02-20 10:00: Vulnerability discovered at customer
2022-02-21 19:30: NewVoice received information about the vulnerability
2022-02-22 09:00: NewVoice released version with fixed vulnerability and informed customer
2022-04-01 00:00: Public disclosure


References
----------

[1] https://www.newvoiceinternational.com/mobicall/mobicall-platform/
[2] https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N