Search criteria
12 vulnerabilities by VICIdial
CVE-2024-8504 (GCVE-0-2024-8504)
Vulnerability from cvelistv5 – Published: 2024-09-10 19:23 – Updated: 2025-11-04 16:16
VLAI?
Summary
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
Severity ?
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
Jaggar Henry of KoreLogic, Inc.
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vicidial:vicidial:2.14-917a:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "vicidial",
"vendor": "vicidial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-8504",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T13:51:21.498740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T13:52:49.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:16:06.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/26"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jaggar Henry of KoreLogic, Inc."
}
],
"datePublic": "2024-09-10T19:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker with authenticated access to VICIdial as an \"agent\" can execute arbitrary shell commands as the \"root\" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective."
}
],
"value": "An attacker with authenticated access to VICIdial as an \"agent\" can execute arbitrary shell commands as the \"root\" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T19:23:39.327Z",
"orgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
"shortName": "KoreLogic"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt"
},
{
"tags": [
"product"
],
"url": "https://www.vicidial.org/vicidial.php"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08.\u003cbr\u003e"
}
],
"value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "VICIdial Authenticated Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
"assignerShortName": "KoreLogic",
"cveId": "CVE-2024-8504",
"datePublished": "2024-09-10T19:23:39.327Z",
"dateReserved": "2024-09-05T21:29:06.095Z",
"dateUpdated": "2025-11-04T16:16:06.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8503 (GCVE-0-2024-8503)
Vulnerability from cvelistv5 – Published: 2024-09-10 19:22 – Updated: 2025-11-04 16:16
VLAI?
Summary
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
Jaggar Henry of KoreLogic, Inc.
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vicidial:vicidial:2.14-917a:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vicidial",
"vendor": "vicidial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-8503",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T19:30:58.340394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T19:36:08.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:16:05.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/25"
},
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/26"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jaggar Henry of KoreLogic, Inc."
}
],
"datePublic": "2024-09-10T19:22:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database."
}
],
"value": "An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T19:22:40.111Z",
"orgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
"shortName": "KoreLogic"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt"
},
{
"tags": [
"product"
],
"url": "https://www.vicidial.org/vicidial.php"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08.\u003cbr\u003e"
}
],
"value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "VICIdial Unauthenticated SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
"assignerShortName": "KoreLogic",
"cveId": "CVE-2024-8503",
"datePublished": "2024-09-10T19:22:40.111Z",
"dateReserved": "2024-09-05T21:29:03.299Z",
"dateUpdated": "2025-11-04T16:16:05.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-35377 (GCVE-0-2021-35377)
Vulnerability from cvelistv5 – Published: 2023-03-06 00:00 – Updated: 2025-03-06 15:47
VLAI?
Summary
Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:33:51.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://vicidial.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=2\u0026t=41634"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-35377",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T15:47:25.563990Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T15:47:38.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-06T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://vicidial.com"
},
{
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=2\u0026t=41634"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-35377",
"datePublished": "2023-03-06T00:00:00.000Z",
"dateReserved": "2021-06-23T00:00:00.000Z",
"dateUpdated": "2025-03-06T15:47:38.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34879 (GCVE-0-2022-34879)
Vulnerability from cvelistv5 – Published: 2022-07-05 15:40 – Updated: 2024-09-16 20:47
VLAI?
Summary
Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:22:10.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"lessThan": "3555",
"status": "affected",
"version": "2.14b0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"datePublic": "2022-06-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-05T15:40:31",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple Cross Site Scripting (XSS) vulnerabilities at /vicidial/admin.php.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-30T21:07:00.000Z",
"ID": "CVE-2022-34879",
"STATE": "PUBLIC",
"TITLE": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple Cross Site Scripting (XSS) vulnerabilities at /vicidial/admin.php."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VICIdial",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.14b0.5",
"version_value": "3555"
}
]
}
}
]
},
"vendor_name": "VICIdial"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af",
"refsource": "CONFIRM",
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-34879",
"datePublished": "2022-07-05T15:40:31.098013Z",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-09-16T20:47:06.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34878 (GCVE-0-2022-34878)
Vulnerability from cvelistv5 – Published: 2022-07-05 15:40 – Updated: 2024-09-16 23:26
VLAI?
Summary
SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
Severity ?
5.5 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:22:10.629Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"lessThan": "3555",
"status": "affected",
"version": "2.14b0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"datePublic": "2022-06-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server."
}
],
"exploits": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-05T15:40:27",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain a SQL injection vulnerability at /vicidial/user_stats.php.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-30T21:07:00.000Z",
"ID": "CVE-2022-34878",
"STATE": "PUBLIC",
"TITLE": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain a SQL injection vulnerability at /vicidial/user_stats.php."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VICIdial",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.14b0.5",
"version_value": "3555"
}
]
}
}
]
},
"vendor_name": "VICIdial"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server."
}
]
},
"exploit": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af",
"refsource": "CONFIRM",
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"name": "https://github.com/rapid7/metasploit-framework/pull/16732",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-34878",
"datePublished": "2022-07-05T15:40:27.310449Z",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-09-16T23:26:46.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34877 (GCVE-0-2022-34877)
Vulnerability from cvelistv5 – Published: 2022-07-05 15:40 – Updated: 2024-09-17 04:09
VLAI?
Summary
SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
Severity ?
6.4 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:22:10.821Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"lessThan": "3555",
"status": "affected",
"version": "2.14b0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"datePublic": "2022-06-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
],
"exploits": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-05T15:40:19",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VICIDial 2.14b0.5 SVN 3550 was discovered to contains a SQL injection vulnerability at /vicidial/AST_agent_time_sheet.php.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-30T21:31:00.000Z",
"ID": "CVE-2022-34877",
"STATE": "PUBLIC",
"TITLE": "VICIDial 2.14b0.5 SVN 3550 was discovered to contains a SQL injection vulnerability at /vicidial/AST_agent_time_sheet.php."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VICIdial",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.14b0.5",
"version_value": "3555"
}
]
}
}
]
},
"vendor_name": "VICIdial"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
]
},
"exploit": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af",
"refsource": "CONFIRM",
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"name": "https://github.com/rapid7/metasploit-framework/pull/16732",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-34877",
"datePublished": "2022-07-05T15:40:19.992008Z",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-09-17T04:09:36.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34876 (GCVE-0-2022-34876)
Vulnerability from cvelistv5 – Published: 2022-07-05 15:40 – Updated: 2024-09-16 17:23
VLAI?
Summary
SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
Severity ?
5.5 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:22:10.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"lessThan": "3555",
"status": "affected",
"version": "2.14b0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"datePublic": "2022-06-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
],
"exploits": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-05T15:40:15",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple SQL injection vulnerability at /vicidial/admin.php.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-30T21:07:00.000Z",
"ID": "CVE-2022-34876",
"STATE": "PUBLIC",
"TITLE": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple SQL injection vulnerability at /vicidial/admin.php."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VICIdial",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.14b0.5",
"version_value": "3555"
}
]
}
}
]
},
"vendor_name": "VICIdial"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
]
},
"exploit": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af",
"refsource": "CONFIRM",
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"name": "https://github.com/rapid7/metasploit-framework/pull/16732",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-34876",
"datePublished": "2022-07-05T15:40:15.708483Z",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-09-16T17:23:59.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-46557 (GCVE-0-2021-46557)
Vulnerability from cvelistv5 – Published: 2022-02-15 10:27 – Updated: 2024-08-04 05:10
VLAI?
Summary
Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:10:35.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-15T10:27:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-46557",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS",
"refsource": "MISC",
"url": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-46557",
"datePublished": "2022-02-15T10:27:24",
"dateReserved": "2022-01-24T00:00:00",
"dateUpdated": "2024-08-04T05:10:35.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-7382 (GCVE-0-2013-7382)
Vulnerability from cvelistv5 – Published: 2014-05-17 19:00 – Updated: 2024-09-16 17:58
VLAI?
Summary
VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:09:16.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/29513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-05-17T19:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/29513"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7382",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/29513"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7382",
"datePublished": "2014-05-17T19:00:00Z",
"dateReserved": "2014-05-17T00:00:00Z",
"dateUpdated": "2024-09-16T17:58:35.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4468 (GCVE-0-2013-4468)
Vulnerability from cvelistv5 – Published: 2014-05-14 19:00 – Updated: 2024-08-06 16:45
VLAI?
Summary
VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/29513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-10-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-05-14T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/29513"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4468",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/29513"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4468",
"datePublished": "2014-05-14T19:00:00",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:45:14.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4467 (GCVE-0-2013-4467)
Vulnerability from cvelistv5 – Published: 2014-03-11 15:00 – Updated: 2024-08-06 16:45
VLAI?
Summary
Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q4/175"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities"
},
{
"name": "63340",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/63340"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q4/171"
},
{
"name": "55453",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55453"
},
{
"name": "98903",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/98903"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-10-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-05-14T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q4/175"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities"
},
{
"name": "63340",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/63340"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q4/171"
},
{
"name": "55453",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55453"
},
{
"name": "98903",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/98903"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4467",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q4/175"
},
{
"name": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities"
},
{
"name": "63340",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/63340"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q4/171"
},
{
"name": "55453",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/55453"
},
{
"name": "98903",
"refsource": "OSVDB",
"url": "http://osvdb.org/98903"
},
{
"name": "29513",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"name": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4467",
"datePublished": "2014-03-11T15:00:00",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:45:14.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-2234 (GCVE-0-2009-2234)
Vulnerability from cvelistv5 – Published: 2009-06-27 18:00 – Updated: 2024-08-07 05:44
VLAI?
Summary
Multiple SQL injection vulnerabilities in admin.php in VICIDIAL Call Center Suite 2.0.5-173 allow remote attackers to execute arbitrary SQL commands via the (1) Username parameter ($PHP_AUTH_USER) and (2) Password parameter ($PHP_AUTH_PW).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T05:44:55.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "35056",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/35056"
},
{
"name": "callcenter-admin-sql-injection(50665)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50665"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.eflo.net/vicidial/security_fix_admin_20090522.patch"
},
{
"name": "8755",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/8755"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-05-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in admin.php in VICIDIAL Call Center Suite 2.0.5-173 allow remote attackers to execute arbitrary SQL commands via the (1) Username parameter ($PHP_AUTH_USER) and (2) Password parameter ($PHP_AUTH_PW)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-18T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "35056",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/35056"
},
{
"name": "callcenter-admin-sql-injection(50665)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50665"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.eflo.net/vicidial/security_fix_admin_20090522.patch"
},
{
"name": "8755",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/8755"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-2234",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in admin.php in VICIDIAL Call Center Suite 2.0.5-173 allow remote attackers to execute arbitrary SQL commands via the (1) Username parameter ($PHP_AUTH_USER) and (2) Password parameter ($PHP_AUTH_PW)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "35056",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/35056"
},
{
"name": "callcenter-admin-sql-injection(50665)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50665"
},
{
"name": "http://www.eflo.net/vicidial/security_fix_admin_20090522.patch",
"refsource": "CONFIRM",
"url": "http://www.eflo.net/vicidial/security_fix_admin_20090522.patch"
},
{
"name": "8755",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/8755"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-2234",
"datePublished": "2009-06-27T18:00:00",
"dateReserved": "2009-06-27T00:00:00",
"dateUpdated": "2024-08-07T05:44:55.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}