Search criteria
3 vulnerabilities by sytel
CVE-2025-2495 (GCVE-0-2025-2495)
Vulnerability from cvelistv5 – Published: 2025-03-18 11:28 – Updated: 2025-03-18 13:00
VLAI?
Title
Stored Cross-Site Scripting (XSS) vulnerability in Softdial Contact Center
Summary
Stored Cross-Site Scripting (XSS) in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to upload XML files to the server with JavaScript code injected via the ‘/softdial/scheduler/save.php’ resource. The injected code will execute when the uploaded file is loaded via the ‘/softdial/scheduler/load.php’ resource and can redirect the victim to malicious sites or steal their login information to spoof their identity.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sytel Ltd | Softdial Contact Center |
Affected:
all versions
|
Credits
Víctor Rodríguez Carreño
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2495",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T12:59:38.260439Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T13:00:38.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Softdial Contact Center",
"vendor": "Sytel Ltd",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Rodr\u00edguez Carre\u00f1o"
}
],
"datePublic": "2025-03-18T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-Site Scripting (XSS) in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to upload XML files to the server with JavaScript code injected via the \u2018/softdial/scheduler/save.php\u2019 resource. The injected code will execute when the uploaded file is loaded via the \u2018/softdial/scheduler/load.php\u2019 resource and can redirect the victim to malicious sites or steal their login information to spoof their identity."
}
],
"value": "Stored Cross-Site Scripting (XSS) in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to upload XML files to the server with JavaScript code injected via the \u2018/softdial/scheduler/save.php\u2019 resource. The injected code will execute when the uploaded file is loaded via the \u2018/softdial/scheduler/load.php\u2019 resource and can redirect the victim to malicious sites or steal their login information to spoof their identity."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T11:28:28.483Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-softdial-contact-center"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting (XSS) vulnerability in Softdial Contact Center",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-2495",
"datePublished": "2025-03-18T11:28:28.483Z",
"dateReserved": "2025-03-18T09:23:44.816Z",
"dateUpdated": "2025-03-18T13:00:38.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2494 (GCVE-0-2025-2494)
Vulnerability from cvelistv5 – Published: 2025-03-18 11:27 – Updated: 2025-03-18 13:02
VLAI?
Title
Unrestricted file upload vulnerability in Softdial Contact Center
Summary
Unrestricted file upload to Softdial Contact Center of Sytel Ltd. This vulnerability could allow an attacker to upload files to the server via the ‘/softdial/phpconsole/upload.php’ endpoint, which is protected by basic HTTP authentication. The files are uploaded to a directory exposed by the web application, which could result in code execution, giving the attacker full control over the server.
Severity ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sytel Ltd | Softdial Contact Center |
Affected:
all versions
|
Credits
Víctor Rodríguez Carreño
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2494",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T13:00:53.304221Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T13:02:27.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Softdial Contact Center",
"vendor": "Sytel Ltd",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Rodr\u00edguez Carre\u00f1o"
}
],
"datePublic": "2025-03-18T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted file upload to Softdial Contact Center of Sytel Ltd. This vulnerability could allow an attacker to upload files to the server via the \u2018/softdial/phpconsole/upload.php\u2019 endpoint, which is protected by basic HTTP authentication. The files are uploaded to a directory exposed by the web application, which could result in code execution, giving the attacker full control over the server."
}
],
"value": "Unrestricted file upload to Softdial Contact Center of Sytel Ltd. This vulnerability could allow an attacker to upload files to the server via the \u2018/softdial/phpconsole/upload.php\u2019 endpoint, which is protected by basic HTTP authentication. The files are uploaded to a directory exposed by the web application, which could result in code execution, giving the attacker full control over the server."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T11:27:07.636Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-softdial-contact-center"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unrestricted file upload vulnerability in Softdial Contact Center",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-2494",
"datePublished": "2025-03-18T11:27:07.636Z",
"dateReserved": "2025-03-18T09:23:43.896Z",
"dateUpdated": "2025-03-18T13:02:27.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2493 (GCVE-0-2025-2493)
Vulnerability from cvelistv5 – Published: 2025-03-18 11:20 – Updated: 2025-03-18 13:08
VLAI?
Title
Path Traversal vulnerability in Softdial Contact Center
Summary
Path Traversal vulnerability in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to manipulate the ‘id’ parameter of the ‘/softdial/scheduler/load.php’ endpoint to navigate beyond the intended directory. This can allow unauthorised access to sensitive files outside the expected scope, posing a security risk.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sytel Ltd | Softdial Contact Center |
Affected:
all versions
|
Credits
Víctor Rodríguez Carreño
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T13:07:52.938573Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T13:08:11.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Softdial Contact Center",
"vendor": "Sytel Ltd",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Rodr\u00edguez Carre\u00f1o"
}
],
"datePublic": "2025-03-18T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path Traversal vulnerability in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to manipulate the \u2018id\u2019 parameter of the \u2018/softdial/scheduler/load.php\u2019 endpoint to navigate beyond the intended directory. This can allow unauthorised access to sensitive files outside the expected scope, posing a security risk."
}
],
"value": "Path Traversal vulnerability in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to manipulate the \u2018id\u2019 parameter of the \u2018/softdial/scheduler/load.php\u2019 endpoint to navigate beyond the intended directory. This can allow unauthorised access to sensitive files outside the expected scope, posing a security risk."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T11:23:49.277Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-softdial-contact-center"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Path Traversal vulnerability in Softdial Contact Center",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-2493",
"datePublished": "2025-03-18T11:20:15.330Z",
"dateReserved": "2025-03-18T09:23:42.920Z",
"dateUpdated": "2025-03-18T13:08:11.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}