Multiple Vulnerabilities Identified in CentralSquare eTRAKiT and IVR Components
Background
CentralSquare eTRAKiT is widely used by municipalities and permitting authorities for managing permit records, inspections, and public-facing regulatory workflows. The platform also includes an IVR (Interactive Voice Response) component, which is designed to allow users to interact with permit or inspection records by telephone. In many deployments, the IVR is also accessible through a web interface, where the interactive voice prompts are presented in a browser.
Several security vulnerabilities have been identified in CentralSquare Technologies’ eTRAKiT platform and its associated IVR component. These issues impact how the system processes user input, stores submitted data, and restricts access to administrative interfaces. These vulnerabilities were disclosed to CentralSquare with the assistance of the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. CentralSquare has stated that affected customers have been or will be contacted regarding recommended remediation steps.
Vulnerabilities
CVE-2025-64280 — Unauthenticated SQL Injection in IVR
The IVR web interface accepts a permit_no parameter after a user progresses through the simulated call prompts. This parameter is not properly sanitized before being used in backend SQL queries. When the IVR interface is exposed to the public internet, an unauthenticated user may exploit this issue to perform time-based or error-based SQL injection.
Impact:
An attacker may be able to extract or manipulate data in the backend database, depending on database configuration and privileges.
CVE-2025-59491 — Stored Cross-Site Scripting (XSS) in eTRAKiT Form Fields
eTRAKiT (tested on version 19.5.7.1) allows user-provided content in numerous form fields that is later rendered without sufficient output encoding. At least sixteen commonly used form parameters were confirmed vulnerable, including those within Applicant, Owner, Agent, Surveyor, Profile, and Project description fields on custom forms.
Impact:
Malicious script input can be persistently stored and executed in the browser of any user who later views the affected records. This may result in credential theft, forced transactions, or elevation of privileges through session compromise.
CVE-2025-64281 — Authentication Bypass in IVR Administrative Interface
The IVR browser interface includes an administrative configuration page that appears to be gated behind authentication. However, it was identified that direct access to the administrative panel is possible without prior authentication due to insufficient access control enforcement. The application does not adequately restrict access to administrative pages once their locations are known.
Impact:
Unauthorized users may modify IVR behavior, modify configuration details, upload custom voice files, or otherwise alter system operation without valid credentials.
Recommendations
CentralSquare has stated that it has contacted or will contact affected organizations with update guidance. In addition, the following actions are recommended for system owners:
Additional Mitigations
Restrict public access to the IVR web interface.
Where possible, limit the IVR interface to internal networks or VPN-only access.
Apply vendor-provided patches and updates once available.
Review stored form fields for unexpected HTML or JavaScript content.
Monitor access logs for requests to the IVR administrative page or unusual IVR query behavior.
Conclusion
The identified vulnerabilities present risks ranging from data exposure to potential administrative takeover, particularly in deployments where the IVR interface is publicly accessible. Prompt patching and access restriction are strongly advised. Organizations using eTRAKiT or the IVR subsystem should confirm their update status with CentralSquare and evaluate whether the IVR interface is unnecessarily exposed to the public internet.
I’d like to acknowledge CentralSquare Technologies for their responsiveness during the coordination process, and to CERT/CC for assisting in the responsible disclosure of these vulnerabilities.
