Description: Mutare Software EVM 2.2.9 (possibly earlier versions) is vulnerable to CSRF and XSS. An attacker could do the following to a users' EVM settings: A. Change their EVM PIN B. Delete all of their voice messages C. Change or add any of their delivery address for voicemails CERT Vulnerability Note: http://www.kb.cert.org/vuls/id/136612 Proof of Concept: CSRF:

Mutare Software EVM CSRF PoC

XSS:                 https://evoicemail.domain.com/default.asp?Subscriber=12345%22%20onclick=%22j avascript:alert%281%29;