Multiple vulnerabilities in Dowisp
Dowisp, versions prior to 2.0.1.
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Dowisp, software used to manage telecommunications operators. The vulnerabilities were discovered by José Luis Platas Feced.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2025-41071 y CVE-2025-41072: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79.
The vulnerabilities have been fixed by the Dowisp team in version 2.0.1. Furthermore, these vulnerabilities affected the platform hosted on the dowisp.app domain, which has been closed and is now hosted on app.dowisp.com, with the changes made.
A stored Cross-Site Scripting (XSS) vulnerability has been found in Dowisp. This vulnerability allows an attacker to store malicious SVG content by sending an HTTP POST request using a space at the end of the JSON parameter to bypass security. The relationship between parameters and assigned identifiers is as follows:
- CVE-2025-41071: parameter 'attachment.file.name' in '/d2/helpdesk/ticket/<id>/add_comment/'.
- CVE-2025-41072: parameter 'file.name' in '/d2/helpdesk/ticket//attachments/'.
