CVE-2019-25316
Persistent XSS in GOautodial 4.0 Event Title Parameter
Publication date: 2026-02-11
Last updated on: 2026-02-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goautodial | goautodial | to 4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25316 is a persistent cross-site scripting (XSS) vulnerability found in GOautodial version 4.0 and earlier. It occurs in the CreateEvent.php endpoint, where authenticated attackers can inject malicious JavaScript code through the event title parameter.
By sending specially crafted POST requests containing XSS payloads, attackers can cause arbitrary scripts to execute in the browsers of other authenticated users, potentially compromising their session or data.
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and requires low attack complexity, privileges, and user interaction.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in the browsers of authenticated users, which can lead to unauthorized actions such as session hijacking, data theft, or manipulation of the application interface.
The impact affects confidentiality, integrity, and availability to a limited extent, as indicated by the CVSS scores.
Since the attack requires authentication and user interaction, the risk is somewhat mitigated but still significant for users with access to the vulnerable system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to inject a test XSS payload into the event title parameter via a POST request to the /php/CreateEvent.php endpoint while authenticated.'}, {'type': 'paragraph', 'content': 'A practical detection method is to send a crafted POST request with a simple script payload such as <script>alert("TEST");</script> in the title parameter and then verify if the script executes when viewing the event.'}, {'type': 'paragraph', 'content': 'Example command using curl to test for the vulnerability (authentication cookies or tokens must be included):'}, {'type': 'list_item', 'content': 'curl -X POST -d "title=<script>alert(\'TEST\');</script>" -b "cookie_or_auth_token" https://target/goautodial/php/CreateEvent.php'}, {'type': 'paragraph', 'content': 'If the injected script executes in the browser of an authenticated user viewing the event, the vulnerability is present.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the affected CreateEvent.php endpoint to trusted users only and ensuring that only authenticated users with proper privileges can access it.
Additionally, avoid using the application until a patch or update is applied that properly sanitizes or neutralizes input in the event title parameter to prevent script injection.
As a temporary workaround, monitor and filter POST requests to the CreateEvent.php endpoint for suspicious payloads containing script tags or other XSS vectors.
Finally, educate users to be cautious when interacting with event titles and avoid clicking on suspicious content until the vulnerability is resolved.