Most of the individual API functions appear to contain their own additional checks on user identity, credentials, and session state, which means that they are not vulnerable to exploitation. However, goGetSystemSettingInfo.php, which leaks sensitive configuration details including system passwords, certainly is.
CVSS 3.1 base score: 5.3 (medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
CVE-2021-43176: Local file inclusion with path traversal
The API router takes a user-supplied “action” parameter and appends a .php file extension to locate and load the correct PHP file to implement the API call. Vulnerable versions of GOautodial do not sanitize the user input that specifies the action. This permits an attacker to execute any PHP source file with a .php extension that is present on the disk and readable by the GOautodial web server process. Combined with CVE-2021-43175, it is possible for the attacker to do this without valid credentials.
If the attacker can upload arbitrary PHP files to the server, that would allow arbitrary code execution on the server.
Regular authenticated users of the GOautodial system—such as call center employees—can send messages including attachments to other users. These attachments are saved with their original filename in a predictable location on the server. This means that any regular authenticated user of the GOautodial system can upload and execute arbitrary PHP files on the server.
CVSS 3.1 base score: 8.8 (high)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C