Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities by VICIdial
CVE-2024-8504 (GCVE-0-2024-8504)
Vulnerability from cvelistv5 – Published: 2024-09-10 19:23 – Updated: 2025-11-04 16:16
VLAI
Title
VICIdial Authenticated Remote Code Execution
Summary
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://korelogic.com/Resources/Advisories/KL-001… | third-party-advisory |
| https://www.vicidial.org/vicidial.php | product |
| http://seclists.org/fulldisclosure/2024/Sep/26 |
Impacted products
Date Public
2024-09-10 19:23
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vicidial:vicidial:2.14-917a:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "vicidial",
"vendor": "vicidial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-8504",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T13:51:21.498740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T13:52:49.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:16:06.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/26"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jaggar Henry of KoreLogic, Inc."
}
],
"datePublic": "2024-09-10T19:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker with authenticated access to VICIdial as an \"agent\" can execute arbitrary shell commands as the \"root\" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective."
}
],
"value": "An attacker with authenticated access to VICIdial as an \"agent\" can execute arbitrary shell commands as the \"root\" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T19:23:39.327Z",
"orgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
"shortName": "KoreLogic"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt"
},
{
"tags": [
"product"
],
"url": "https://www.vicidial.org/vicidial.php"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08.\u003cbr\u003e"
}
],
"value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "VICIdial Authenticated Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
"assignerShortName": "KoreLogic",
"cveId": "CVE-2024-8504",
"datePublished": "2024-09-10T19:23:39.327Z",
"dateReserved": "2024-09-05T21:29:06.095Z",
"dateUpdated": "2025-11-04T16:16:06.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8503 (GCVE-0-2024-8503)
Vulnerability from cvelistv5 – Published: 2024-09-10 19:22 – Updated: 2025-11-04 16:16
VLAI
Title
VICIdial Unauthenticated SQL Injection
Summary
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
Impacted products
Date Public
2024-09-10 19:22
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vicidial:vicidial:2.14-917a:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vicidial",
"vendor": "vicidial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-8503",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T19:30:58.340394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T19:36:08.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:16:05.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/25"
},
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/26"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jaggar Henry of KoreLogic, Inc."
}
],
"datePublic": "2024-09-10T19:22:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database."
}
],
"value": "An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T19:22:40.111Z",
"orgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
"shortName": "KoreLogic"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt"
},
{
"tags": [
"product"
],
"url": "https://www.vicidial.org/vicidial.php"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08.\u003cbr\u003e"
}
],
"value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "VICIdial Unauthenticated SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
"assignerShortName": "KoreLogic",
"cveId": "CVE-2024-8503",
"datePublished": "2024-09-10T19:22:40.111Z",
"dateReserved": "2024-09-05T21:29:03.299Z",
"dateUpdated": "2025-11-04T16:16:05.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-35377 (GCVE-0-2021-35377)
Vulnerability from cvelistv5 – Published: 2023-03-06 00:00 – Updated: 2025-03-06 15:47
VLAI
Summary
Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
2 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:33:51.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://vicidial.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=2\u0026t=41634"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-35377",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T15:47:25.563990Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T15:47:38.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-06T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://vicidial.com"
},
{
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=2\u0026t=41634"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-35377",
"datePublished": "2023-03-06T00:00:00.000Z",
"dateReserved": "2021-06-23T00:00:00.000Z",
"dateUpdated": "2025-03-06T15:47:38.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34879 (GCVE-0-2022-34879)
Vulnerability from cvelistv5 – Published: 2022-07-05 15:40 – Updated: 2024-09-16 20:47
VLAI
Title
VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple Cross Site Scripting (XSS) vulnerabilities at /vicidial/admin.php.
Summary
Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
Severity
6.5 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.vicidial.org/VICIDIALforum/viewtopic.… | x_refsource_CONFIRM |
Impacted products
Date Public
2022-06-30 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:22:10.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"lessThan": "3555",
"status": "affected",
"version": "2.14b0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"datePublic": "2022-06-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-05T15:40:31.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple Cross Site Scripting (XSS) vulnerabilities at /vicidial/admin.php.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-30T21:07:00.000Z",
"ID": "CVE-2022-34879",
"STATE": "PUBLIC",
"TITLE": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple Cross Site Scripting (XSS) vulnerabilities at /vicidial/admin.php."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VICIdial",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.14b0.5",
"version_value": "3555"
}
]
}
}
]
},
"vendor_name": "VICIdial"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af",
"refsource": "CONFIRM",
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-34879",
"datePublished": "2022-07-05T15:40:31.098Z",
"dateReserved": "2022-06-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:47:06.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34878 (GCVE-0-2022-34878)
Vulnerability from cvelistv5 – Published: 2022-07-05 15:40 – Updated: 2024-09-16 23:26
VLAI
Title
VICIDial 2.14b0.5 SVN 3550 was discovered to contain a SQL injection vulnerability at /vicidial/user_stats.php.
Summary
SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
Severity
5.5 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.vicidial.org/VICIDIALforum/viewtopic.… | x_refsource_CONFIRM |
| https://github.com/rapid7/metasploit-framework/pu… | x_refsource_MISC |
Impacted products
Date Public
2022-06-30 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:22:10.629Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"lessThan": "3555",
"status": "affected",
"version": "2.14b0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"datePublic": "2022-06-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server."
}
],
"exploits": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-05T15:40:27.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain a SQL injection vulnerability at /vicidial/user_stats.php.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-30T21:07:00.000Z",
"ID": "CVE-2022-34878",
"STATE": "PUBLIC",
"TITLE": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain a SQL injection vulnerability at /vicidial/user_stats.php."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VICIdial",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.14b0.5",
"version_value": "3555"
}
]
}
}
]
},
"vendor_name": "VICIdial"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server."
}
]
},
"exploit": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af",
"refsource": "CONFIRM",
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"name": "https://github.com/rapid7/metasploit-framework/pull/16732",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-34878",
"datePublished": "2022-07-05T15:40:27.310Z",
"dateReserved": "2022-06-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:26:46.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34877 (GCVE-0-2022-34877)
Vulnerability from cvelistv5 – Published: 2022-07-05 15:40 – Updated: 2024-09-17 04:09
VLAI
Title
VICIDial 2.14b0.5 SVN 3550 was discovered to contains a SQL injection vulnerability at /vicidial/AST_agent_time_sheet.php.
Summary
SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
Severity
6.4 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.vicidial.org/VICIDIALforum/viewtopic.… | x_refsource_CONFIRM |
| https://github.com/rapid7/metasploit-framework/pu… | x_refsource_MISC |
Impacted products
Date Public
2022-06-30 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:22:10.821Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"lessThan": "3555",
"status": "affected",
"version": "2.14b0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"datePublic": "2022-06-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
],
"exploits": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-05T15:40:19.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VICIDial 2.14b0.5 SVN 3550 was discovered to contains a SQL injection vulnerability at /vicidial/AST_agent_time_sheet.php.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-30T21:31:00.000Z",
"ID": "CVE-2022-34877",
"STATE": "PUBLIC",
"TITLE": "VICIDial 2.14b0.5 SVN 3550 was discovered to contains a SQL injection vulnerability at /vicidial/AST_agent_time_sheet.php."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VICIdial",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.14b0.5",
"version_value": "3555"
}
]
}
}
]
},
"vendor_name": "VICIdial"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
]
},
"exploit": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af",
"refsource": "CONFIRM",
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"name": "https://github.com/rapid7/metasploit-framework/pull/16732",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-34877",
"datePublished": "2022-07-05T15:40:19.992Z",
"dateReserved": "2022-06-30T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:09:36.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34876 (GCVE-0-2022-34876)
Vulnerability from cvelistv5 – Published: 2022-07-05 15:40 – Updated: 2024-09-16 17:23
VLAI
Title
VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple SQL injection vulnerability at /vicidial/admin.php.
Summary
SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
Severity
5.5 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.vicidial.org/VICIDIALforum/viewtopic.… | x_refsource_CONFIRM |
| https://github.com/rapid7/metasploit-framework/pu… | x_refsource_MISC |
Impacted products
Date Public
2022-06-30 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:22:10.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"lessThan": "3555",
"status": "affected",
"version": "2.14b0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"datePublic": "2022-06-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
],
"exploits": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-05T15:40:15.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple SQL injection vulnerability at /vicidial/admin.php.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-30T21:07:00.000Z",
"ID": "CVE-2022-34876",
"STATE": "PUBLIC",
"TITLE": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple SQL injection vulnerability at /vicidial/admin.php."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VICIdial",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.14b0.5",
"version_value": "3555"
}
]
}
}
]
},
"vendor_name": "VICIdial"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
]
},
"exploit": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af",
"refsource": "CONFIRM",
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"name": "https://github.com/rapid7/metasploit-framework/pull/16732",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-34876",
"datePublished": "2022-07-05T15:40:15.708Z",
"dateReserved": "2022-06-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:23:59.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-46557 (GCVE-0-2021-46557)
Vulnerability from cvelistv5 – Published: 2022-02-15 10:27 – Updated: 2024-08-04 05:10
VLAI
Summary
Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Zeyad-Azima/Vicidial-stored-XSS | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:10:35.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-15T10:27:24.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-46557",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS",
"refsource": "MISC",
"url": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-46557",
"datePublished": "2022-02-15T10:27:24.000Z",
"dateReserved": "2022-01-24T00:00:00.000Z",
"dateUpdated": "2024-08-04T05:10:35.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-7382 (GCVE-0-2013-7382)
Vulnerability from cvelistv5 – Published: 2014-05-17 19:00 – Updated: 2024-09-16 17:58
VLAI
Summary
VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://adamcaudill.com/2013/10/23/vicidial-multi… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2013/1… | mailing-listx_refsource_MLIST |
| http://www.openwall.com/lists/oss-security/2013/10/25/1 | mailing-listx_refsource_MLIST |
| http://www.exploit-db.com/exploits/29513 | exploitx_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:09:16.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/29513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-05-17T19:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/29513"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7382",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/29513"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7382",
"datePublished": "2014-05-17T19:00:00.000Z",
"dateReserved": "2014-05-17T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:58:35.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4468 (GCVE-0-2013-4468)
Vulnerability from cvelistv5 – Published: 2014-05-14 19:00 – Updated: 2024-08-06 16:45
VLAI
Summary
VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://adamcaudill.com/2013/10/23/vicidial-multi… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2013/1… | mailing-listx_refsource_MLIST |
| http://www.openwall.com/lists/oss-security/2013/10/25/1 | mailing-listx_refsource_MLIST |
| http://www.exploit-db.com/exploits/29513 | exploitx_refsource_EXPLOIT-DB |
Date Public
2013-10-23 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/29513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-10-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-05-14T18:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/29513"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4468",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/29513"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4468",
"datePublished": "2014-05-14T19:00:00.000Z",
"dateReserved": "2013-06-12T00:00:00.000Z",
"dateUpdated": "2024-08-06T16:45:14.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4467 (GCVE-0-2013-4467)
Vulnerability from cvelistv5 – Published: 2014-03-11 15:00 – Updated: 2024-08-06 16:45
VLAI
Summary
Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| http://seclists.org/oss-sec/2013/q4/175 | mailing-listx_refsource_MLIST |
| https://adamcaudill.com/2013/10/23/vicidial-multi… | x_refsource_MISC |
| http://www.securityfocus.com/bid/63340 | vdb-entryx_refsource_BID |
| http://seclists.org/oss-sec/2013/q4/171 | mailing-listx_refsource_MLIST |
| http://secunia.com/advisories/55453 | third-party-advisoryx_refsource_SECUNIA |
| http://osvdb.org/98903 | vdb-entryx_refsource_OSVDB |
| http://www.exploit-db.com/exploits/29513 | exploitx_refsource_EXPLOIT-DB |
| https://github.com/rapid7/metasploit-framework/bl… | x_refsource_MISC |
Date Public
2013-10-23 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q4/175"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities"
},
{
"name": "63340",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/63340"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q4/171"
},
{
"name": "55453",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55453"
},
{
"name": "98903",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/98903"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-10-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-05-14T18:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q4/175"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities"
},
{
"name": "63340",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/63340"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q4/171"
},
{
"name": "55453",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55453"
},
{
"name": "98903",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/98903"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4467",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q4/175"
},
{
"name": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities"
},
{
"name": "63340",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/63340"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q4/171"
},
{
"name": "55453",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/55453"
},
{
"name": "98903",
"refsource": "OSVDB",
"url": "http://osvdb.org/98903"
},
{
"name": "29513",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"name": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4467",
"datePublished": "2014-03-11T15:00:00.000Z",
"dateReserved": "2013-06-12T00:00:00.000Z",
"dateUpdated": "2024-08-06T16:45:14.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-2234 (GCVE-0-2009-2234)
Vulnerability from cvelistv5 – Published: 2009-06-27 18:00 – Updated: 2024-08-07 05:44
VLAI
Summary
Multiple SQL injection vulnerabilities in admin.php in VICIDIAL Call Center Suite 2.0.5-173 allow remote attackers to execute arbitrary SQL commands via the (1) Username parameter ($PHP_AUTH_USER) and (2) Password parameter ($PHP_AUTH_PW).
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/35056 | vdb-entryx_refsource_BID |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| http://www.eflo.net/vicidial/security_fix_admin_2… | x_refsource_CONFIRM |
| http://www.exploit-db.com/exploits/8755 | exploitx_refsource_EXPLOIT-DB |
Date Public
2009-05-21 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T05:44:55.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "35056",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/35056"
},
{
"name": "callcenter-admin-sql-injection(50665)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50665"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.eflo.net/vicidial/security_fix_admin_20090522.patch"
},
{
"name": "8755",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/8755"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-05-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in admin.php in VICIDIAL Call Center Suite 2.0.5-173 allow remote attackers to execute arbitrary SQL commands via the (1) Username parameter ($PHP_AUTH_USER) and (2) Password parameter ($PHP_AUTH_PW)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-18T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "35056",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/35056"
},
{
"name": "callcenter-admin-sql-injection(50665)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50665"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.eflo.net/vicidial/security_fix_admin_20090522.patch"
},
{
"name": "8755",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/8755"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-2234",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in admin.php in VICIDIAL Call Center Suite 2.0.5-173 allow remote attackers to execute arbitrary SQL commands via the (1) Username parameter ($PHP_AUTH_USER) and (2) Password parameter ($PHP_AUTH_PW)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "35056",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/35056"
},
{
"name": "callcenter-admin-sql-injection(50665)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50665"
},
{
"name": "http://www.eflo.net/vicidial/security_fix_admin_20090522.patch",
"refsource": "CONFIRM",
"url": "http://www.eflo.net/vicidial/security_fix_admin_20090522.patch"
},
{
"name": "8755",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/8755"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-2234",
"datePublished": "2009-06-27T18:00:00.000Z",
"dateReserved": "2009-06-27T00:00:00.000Z",
"dateUpdated": "2024-08-07T05:44:55.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}