CVE-2020-37018

MEDIUM

GOautodial 4.0 - Authenticated Stored Cross-Site Scripting via Message Subject

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37018. PoCs published by Balzabu.

AI-analyzed exploit summary This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in GOautodial 4.0. An authenticated attacker can inject malicious JavaScript into a message, which executes when the recipient views it, potentially stealing cookies or session data.

Description

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. Attackers can craft messages with embedded JavaScript that will execute when an administrator reads the message, potentially stealing session cookies or executing client-side attacks.

Exploits (1)

exploitdb WORKING POC
by Balzabu · textwebappsphp
https://www.exploit-db.com/exploits/48690

This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in GOautodial 4.0. An authenticated attacker can inject malicious JavaScript into a message, which executes when the recipient views it, potentially stealing cookies or session data.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: GOautodial 4.0
Auth required
Prerequisites: Authenticated access as an agent · Recipient (goadmin) must view the malicious message
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48690
Various Sources product
https://goautodial.org/

Scores

CVSS v3 6.4
EPSS 0.0024
EPSS Percentile 15.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Published Jan 29, 2026
Tracked Since Feb 18, 2026