Click-to-Call for Twilio - Reflected cross-site scripting (XSS)
Summary
| Name | Click-to-Call for Twilio twili - Reflected cross-site scripting (XSS) |
| Code name | skims-0003 |
| Product | Click-to-Call for Twilio |
| Affected versions | Version twili |
| State | Private |
| Release date | 2025-03-14 |
Vulnerability
| Kind | Reflected cross-site scripting (XSS) |
| Rule | Reflected cross-site scripting (XSS) |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:U |
| CVSSv4 Base Score | 4.8 (Medium) |
| Exploit available | No |
| CVE ID(s) | CVE-2025-31288 |
Description
Click-to-Call for Twilio twili was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/lib/outbound.php.
Vulnerability
Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in Click-to-Call for Twilio twili. The following is the output of the tool:
Skims output
6 | $welcome = urldecode($_GET['welcome']);
7 | header(""content-type: text/xml"");
8 | echo ""<?xml version=""1.0"" encoding=""UTF-8""?>
"";
9 | ?>
10 | <Response>
11 | <?php
12 | if( $welcome){
13 | echo '<Say>'. $welcome.'</Say>';
14 | }
15 | ?>
16 | <Dial>
17 | <Number url=""screen_for_machine.php"">
> 18 | <?php echo $agentNumber; ?>
19 | </Number>
20 | </Dial>
21 | <Say>Goodbye.</Say>
22 | </Response>
^ Col 0
Our security policy
We have reserved the ID CVE-2025-31288 to refer to this issue from now on.
System Information
- Product: Click-to-Call for Twilio
- Version: twili
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-03-14
Vulnerability discovered.
2025-03-14
Vendor contacted.
