CVE-2024-8504 (GCVE-0-2024-8504)

Vulnerability from cvelistv5 – Published: 2024-09-10 19:23 – Updated: 2025-11-04 16:16
VLAI?
Title
VICIdial Authenticated Remote Code Execution
Summary
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
Impacted products
Vendor Product Version
VICIdial VICIdial Affected: 2.14-917a
Create a notification for this product.
Credits
Jaggar Henry of KoreLogic, Inc.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:vicidial:vicidial:2.14-917a:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "vicidial",
            "vendor": "vicidial",
            "versions": [
              {
                "status": "affected",
                "version": "2.14-917a"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-8504",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-12T13:51:21.498740Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T13:52:49.969Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T16:16:06.940Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://seclists.org/fulldisclosure/2024/Sep/26"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "VICIdial",
          "vendor": "VICIdial",
          "versions": [
            {
              "status": "affected",
              "version": "2.14-917a"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jaggar Henry of KoreLogic, Inc."
        }
      ],
      "datePublic": "2024-09-10T19:23:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An attacker with authenticated access to VICIdial as an \"agent\" can execute arbitrary shell commands as the \"root\" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective."
            }
          ],
          "value": "An attacker with authenticated access to VICIdial as an \"agent\" can execute arbitrary shell commands as the \"root\" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-10T19:23:39.327Z",
        "orgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
        "shortName": "KoreLogic"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.vicidial.org/vicidial.php"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08.\u003cbr\u003e"
            }
          ],
          "value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "VICIdial Authenticated Remote Code Execution",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
    "assignerShortName": "KoreLogic",
    "cveId": "CVE-2024-8504",
    "datePublished": "2024-09-10T19:23:39.327Z",
    "dateReserved": "2024-09-05T21:29:06.095Z",
    "dateUpdated": "2025-11-04T16:16:06.940Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An attacker with authenticated access to VICIdial as an \\\"agent\\\" can execute arbitrary shell commands as the \\\"root\\\" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.\"}, {\"lang\": \"es\", \"value\": \"Un atacante con acceso autenticado a VICIdial como \\\"agente\\\" puede ejecutar comandos de shell arbitrarios como usuario \\\"superusuario\\\". Este ataque se puede encadenar con CVE-2024-8503 para ejecutar comandos de shell arbitrarios a partir de una perspectiva no autenticada.\"}]",
      "id": "CVE-2024-8504",
      "lastModified": "2024-09-12T14:35:23.173",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2024-09-10T20:15:05.363",
      "references": "[{\"url\": \"https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt\", \"source\": \"bbf0bd87-ece2-41be-b873-96928ee8fab9\"}, {\"url\": \"https://www.vicidial.org/vicidial.php\", \"source\": \"bbf0bd87-ece2-41be-b873-96928ee8fab9\"}]",
      "sourceIdentifier": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"bbf0bd87-ece2-41be-b873-96928ee8fab9\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-8504\",\"sourceIdentifier\":\"bbf0bd87-ece2-41be-b873-96928ee8fab9\",\"published\":\"2024-09-10T20:15:05.363\",\"lastModified\":\"2025-11-04T17:16:17.913\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An attacker with authenticated access to VICIdial as an \\\"agent\\\" can execute arbitrary shell commands as the \\\"root\\\" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.\"},{\"lang\":\"es\",\"value\":\"Un atacante con acceso autenticado a VICIdial como \\\"agente\\\" puede ejecutar comandos de shell arbitrarios como usuario \\\"superusuario\\\". Este ataque se puede encadenar con CVE-2024-8503 para ejecutar comandos de shell arbitrarios a partir de una perspectiva no autenticada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"bbf0bd87-ece2-41be-b873-96928ee8fab9\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt\",\"source\":\"bbf0bd87-ece2-41be-b873-96928ee8fab9\"},{\"url\":\"https://www.vicidial.org/vicidial.php\",\"source\":\"bbf0bd87-ece2-41be-b873-96928ee8fab9\"},{\"url\":\"http://seclists.org/fulldisclosure/2024/Sep/26\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-8504\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-12T13:51:21.498740Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:vicidial:vicidial:2.14-917a:*:*:*:*:*:*:*\"], \"vendor\": \"vicidial\", \"product\": \"vicidial\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.14-917a\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-12T13:52:45.180Z\"}}], \"cna\": {\"title\": \"VICIdial Authenticated Remote Code Execution\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Jaggar Henry of KoreLogic, Inc.\"}], \"affected\": [{\"vendor\": \"VICIdial\", \"product\": \"VICIdial\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.14-917a\"}], \"platforms\": [\"Linux\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08.\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2024-09-10T19:23:00.000Z\", \"references\": [{\"url\": \"https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.vicidial.org/vicidial.php\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An attacker with authenticated access to VICIdial as an \\\"agent\\\" can execute arbitrary shell commands as the \\\"root\\\" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An attacker with authenticated access to VICIdial as an \\\"agent\\\" can execute arbitrary shell commands as the \\\"root\\\" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"bbf0bd87-ece2-41be-b873-96928ee8fab9\", \"shortName\": \"KoreLogic\", \"dateUpdated\": \"2024-09-10T19:23:39.327Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-8504\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-12T13:52:49.969Z\", \"dateReserved\": \"2024-09-05T21:29:06.095Z\", \"assignerOrgId\": \"bbf0bd87-ece2-41be-b873-96928ee8fab9\", \"datePublished\": \"2024-09-10T19:23:39.327Z\", \"assignerShortName\": \"KoreLogic\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.