Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in Softdial Contact Center

Posted date 18/03/2025
Identificador
INCIBE-2025-0144
Importance
4 - High
Affected Resources

Softdial Contact Center.

Description

INCIBE has coordinated the publication of 3 vulnerabilities, 2 of high severity and one medium, affecting Softdial Contact Center of Sytel Ltd, a contact centre management software. These vulnerabilities have been discovered by Víctor Rodríguez Carreño, from Telefónica Tech team.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and the vulnerability type CWE for each vulnerability:

  • CVE-2025-2493: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-22
  • CVE-2025-2494: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-434
  • CVE-2025-2495: CVSS v4.0: 5.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

There is no reported solution at this time.

Detail
  • CVE-2025-2493: Path Traversal in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to manipulate the ‘id’ parameter of the ‘/softdial/scheduler/load.php’ endpoint to navigate beyond the intended directory. This can allow unauthorised access to sensitive files outside the expected scope, posing a security risk.
  • CVE-2025-2494: unrestricted file upload to Softdial Contact Center of Sytel Ltd. This vulnerability could allow an attacker to upload files to the server via the ‘/softdial/phpconsole/upload.php’ endpoint, which is protected by basic HTTP authentication. The files are uploaded to a directory exposed by the web application, which could result in code execution, giving the attacker full control over the server.
  • CVE-2025-2495: Stored Cross-Site Scripting (XSS) in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to upload XML files to the server with JavaScript code injected via the ‘/softdial/scheduler/save.php’ resource. The injected code will execute when the uploaded file is loaded via the ‘/softdial/scheduler/load.php’ resource and can redirect the victim to malicious sites or steal their login information to spoof their identity.
References list
Sytel Ltd - Cloud Contact Center Software
Etiquetas