About WombatDialer Blog
Boost your Asterisk call-center productivity with the Next Generation in Predictive Dialling: WombatDialer!
Highly scalable, multi-server and easy-to-use platform.
Tags
18.08 - 20.02 - 21.06 - 23.12 - 25.02 - AMD - APIs - Asterisk - CSV - CVE - Dial - Docker - Elastix - FAX - IVR - JSON - Monitor - PBX - PBX in a flash - PIAF - QueueMetrics - Status - WombatDialer - automatic recall - blacklist - call back - call center - campaign - contact centre - copy campaign - dialer - email notification - end points - handle peak - inbound calling - outbound - outbound calling - performance - power dialing - predictive dialer - preview dialing - queue - recall - release - remote working - reverse dialing - social dialer - social media - telemarketing - voip
WombatDialer Security Update: Addressing Two Vulnerabilities
Today, February 18th 2025, there is a public disclosure of two security vulnerabilities that were recently identified. We believe in transparency and want to share the details with our users.
Vulnerability Details
CVE-2024-57055 - Server-Side Access Control Bypass
WombatDialer uses a client-server model where the client requests services from the server. Access to these services is restricted based on user grants (security keys). While access controls were in place on the client-side, a vulnerability existed on the server-side that could allow unauthorized users to potentially call certain services without the necessary access level. This issue was limited to services used by the client (not the general-use JSON services) and requires reverse engineering of the proprietary serialization protocol, making it difficult to exploit.
See CVE-2024-57055
CVE-2024-57056: Incorrect cookie session handling
In the affected services, the full session identity was being written to system logs. This information was meant to be used to correlate activities in the WombatDialer logs with logs from other systems, such as an HTTP frontend. Unfoirtunately, it could also be used by a maicious attacker to impersonate an existing user session. To mitigate this, we will now only provide the initial and terminal parts of the cookie in logs.
See CVE-2024-57056
Mitigation
Both vulnerabilities are addressed in WombatDialer version 25.02, that was released on Jan 30, 2025. We strongly recommend that all users upgrade to this version immediately to ensure their systems are secure.
Important Note: We have no evidence to suggest that these vulnerabilities have been exploited in the wild.
Acknowledgement
We would like to thank Mr. Aleksandr Rudkovskii “exe_cute” for identifying and responsibly reporting these vulnerabilities during a security audit. Their diligence has helped us to improve the security of WombatDialer.
How to Upgrade
To upgrade to the latest version of WombatDialer, see Upgrading WombatDialer.
We are committed to the security of our products and appreciate your continued support. If you have any questions or concerns, please do not hesitate to contact our support services.
What now?
All details for this release are available on our What’s New in WombatDialer 25.02.
To update from a previous version, see Updating.
If you’d like a test-drive, visit https://www.wombatdialer.com/ for a full featured trial.