Description
A vulnerability in the chat implementation of ProCall client for Windows could allow hackers with access to the chat functionality of ProCall Enterprise over the network to execute commands through a chat message.
The vulnerability is due to inadequate handling of links in the chat window of the ProCall client for Windows. This would theoretically allow a hacker to execute commands (e.g. JavaScript, ActiveX) in the underlying Microsoft Internet Explorer over the network, i.e. from another ProCall client, via the contact portal or the multimedia business card or federation. To exploit the vulnerability, the hacker needs access to the chat functionality of ProCall Enterprise.
estos has already released a software update to address the vulnerability. As a workaround, the chat functionality of ProCall Enterprise can be temporarily disabled.
Affected versions
This vulnerability affects all previously released versions of ProCall 6 Enterprise (EOL) and ProCall 7 Enterprise.
- 7.0 (all sub-versions)
- 6.0, 6.1, 6.2, 6.3, 6.4 (all sub-versions)
Workaround
As a workaround, the chat functionality can be completely disabled to prevent the chat window from opening.
Versions with bug fixes
estos has already released updates with fixes to the vulnerability. Customers and partners can obtain updates through the known channels and follow the normal update process.
- ProCall 7 Enterprise ≥ 7.0.3.3355
- ProCall 6 Enterprise ≥ 6.4.11.3356
End-of-life
Please note the following: If you are using older estos product versions that are no longer supported (End-of-Life has been reached), we strongly recommend updating your software to the current versions for security reasons.
This is because security patches are only regularly developed and made available for current software versions.
