Vulnerabilites related to VICIdial - VICIdial
cve-2013-7382
Vulnerability from cvelistv5
Published
2014-05-17 19:00
Modified
2024-09-16 17:58
Severity ?
EPSS score ?
Summary
VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access.
References
| ▼ | URL | Tags |
|---|---|---|
| https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/ | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2013/10/23/10 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2013/10/25/1 | mailing-list, x_refsource_MLIST | |
| http://www.exploit-db.com/exploits/29513 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:09:16.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/29513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-05-17T19:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/29513"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7382",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/29513"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7382",
"datePublished": "2014-05-17T19:00:00Z",
"dateReserved": "2014-05-17T00:00:00Z",
"dateUpdated": "2024-09-16T17:58:35.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-34878
Vulnerability from cvelistv5
Published
2022-07-05 15:40
Modified
2024-09-16 23:26
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af | x_refsource_CONFIRM | |
| https://github.com/rapid7/metasploit-framework/pull/16732 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:22:10.629Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"lessThan": "3555",
"status": "affected",
"version": "2.14b0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"datePublic": "2022-06-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server."
}
],
"exploits": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-05T15:40:27",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain a SQL injection vulnerability at /vicidial/user_stats.php.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-30T21:07:00.000Z",
"ID": "CVE-2022-34878",
"STATE": "PUBLIC",
"TITLE": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain a SQL injection vulnerability at /vicidial/user_stats.php."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VICIdial",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.14b0.5",
"version_value": "3555"
}
]
}
}
]
},
"vendor_name": "VICIdial"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server."
}
]
},
"exploit": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af",
"refsource": "CONFIRM",
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"name": "https://github.com/rapid7/metasploit-framework/pull/16732",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-34878",
"datePublished": "2022-07-05T15:40:27.310449Z",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-09-16T23:26:46.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-34879
Vulnerability from cvelistv5
Published
2022-07-05 15:40
Modified
2024-09-16 20:47
Severity ?
EPSS score ?
Summary
Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:22:10.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"lessThan": "3555",
"status": "affected",
"version": "2.14b0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"datePublic": "2022-06-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-05T15:40:31",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple Cross Site Scripting (XSS) vulnerabilities at /vicidial/admin.php.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-30T21:07:00.000Z",
"ID": "CVE-2022-34879",
"STATE": "PUBLIC",
"TITLE": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple Cross Site Scripting (XSS) vulnerabilities at /vicidial/admin.php."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VICIdial",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.14b0.5",
"version_value": "3555"
}
]
}
}
]
},
"vendor_name": "VICIdial"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af",
"refsource": "CONFIRM",
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-34879",
"datePublished": "2022-07-05T15:40:31.098013Z",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-09-16T20:47:06.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-8503
Vulnerability from cvelistv5
Published
2024-09-10 19:22
Modified
2024-09-10 21:02
Severity ?
EPSS score ?
Summary
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
References
| ▼ | URL | Tags |
|---|---|---|
| https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt | third-party-advisory | |
| https://www.vicidial.org/vicidial.php | product |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vicidial:vicidial:2.14-917a:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vicidial",
"vendor": "vicidial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-8503",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T19:30:58.340394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T19:36:08.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-10T21:02:45.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/25"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jaggar Henry of KoreLogic, Inc."
}
],
"datePublic": "2024-09-10T19:22:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database."
}
],
"value": "An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T19:22:40.111Z",
"orgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
"shortName": "KoreLogic"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt"
},
{
"tags": [
"product"
],
"url": "https://www.vicidial.org/vicidial.php"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08.\u003cbr\u003e"
}
],
"value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "VICIdial Unauthenticated SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
"assignerShortName": "KoreLogic",
"cveId": "CVE-2024-8503",
"datePublished": "2024-09-10T19:22:40.111Z",
"dateReserved": "2024-09-05T21:29:03.299Z",
"dateUpdated": "2024-09-10T21:02:45.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-34877
Vulnerability from cvelistv5
Published
2022-07-05 15:40
Modified
2024-09-17 04:09
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af | x_refsource_CONFIRM | |
| https://github.com/rapid7/metasploit-framework/pull/16732 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:22:10.821Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"lessThan": "3555",
"status": "affected",
"version": "2.14b0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"datePublic": "2022-06-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
],
"exploits": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-05T15:40:19",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VICIDial 2.14b0.5 SVN 3550 was discovered to contains a SQL injection vulnerability at /vicidial/AST_agent_time_sheet.php.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-30T21:31:00.000Z",
"ID": "CVE-2022-34877",
"STATE": "PUBLIC",
"TITLE": "VICIDial 2.14b0.5 SVN 3550 was discovered to contains a SQL injection vulnerability at /vicidial/AST_agent_time_sheet.php."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VICIdial",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.14b0.5",
"version_value": "3555"
}
]
}
}
]
},
"vendor_name": "VICIdial"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
]
},
"exploit": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af",
"refsource": "CONFIRM",
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"name": "https://github.com/rapid7/metasploit-framework/pull/16732",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-34877",
"datePublished": "2022-07-05T15:40:19.992008Z",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-09-17T04:09:36.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-8504
Vulnerability from cvelistv5
Published
2024-09-10 19:23
Modified
2024-09-12 13:52
Severity ?
EPSS score ?
Summary
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
References
| ▼ | URL | Tags |
|---|---|---|
| https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt | third-party-advisory | |
| https://www.vicidial.org/vicidial.php | product |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vicidial:vicidial:2.14-917a:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "vicidial",
"vendor": "vicidial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-8504",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T13:51:21.498740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T13:52:49.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jaggar Henry of KoreLogic, Inc."
}
],
"datePublic": "2024-09-10T19:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker with authenticated access to VICIdial as an \"agent\" can execute arbitrary shell commands as the \"root\" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective."
}
],
"value": "An attacker with authenticated access to VICIdial as an \"agent\" can execute arbitrary shell commands as the \"root\" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T19:23:39.327Z",
"orgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
"shortName": "KoreLogic"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt"
},
{
"tags": [
"product"
],
"url": "https://www.vicidial.org/vicidial.php"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08.\u003cbr\u003e"
}
],
"value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "VICIdial Authenticated Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9",
"assignerShortName": "KoreLogic",
"cveId": "CVE-2024-8504",
"datePublished": "2024-09-10T19:23:39.327Z",
"dateReserved": "2024-09-05T21:29:06.095Z",
"dateUpdated": "2024-09-12T13:52:49.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-35377
Vulnerability from cvelistv5
Published
2023-03-06 00:00
Modified
2024-08-04 00:33
Severity ?
EPSS score ?
Summary
Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:33:51.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://vicidial.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=2\u0026t=41634"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-06T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://vicidial.com"
},
{
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=2\u0026t=41634"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-35377",
"datePublished": "2023-03-06T00:00:00",
"dateReserved": "2021-06-23T00:00:00",
"dateUpdated": "2024-08-04T00:33:51.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-4468
Vulnerability from cvelistv5
Published
2014-05-14 19:00
Modified
2024-08-06 16:45
Severity ?
EPSS score ?
Summary
VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/ | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2013/10/23/10 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2013/10/25/1 | mailing-list, x_refsource_MLIST | |
| http://www.exploit-db.com/exploits/29513 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/29513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-10-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-05-14T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/29513"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4468",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"name": "29513",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/29513"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4468",
"datePublished": "2014-05-14T19:00:00",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:45:14.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-4467
Vulnerability from cvelistv5
Published
2014-03-11 15:00
Modified
2024-08-06 16:45
Severity ?
EPSS score ?
Summary
Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/oss-sec/2013/q4/175 | mailing-list, x_refsource_MLIST | |
| https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities | x_refsource_MISC | |
| http://www.securityfocus.com/bid/63340 | vdb-entry, x_refsource_BID | |
| http://seclists.org/oss-sec/2013/q4/171 | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/55453 | third-party-advisory, x_refsource_SECUNIA | |
| http://osvdb.org/98903 | vdb-entry, x_refsource_OSVDB | |
| http://www.exploit-db.com/exploits/29513 | exploit, x_refsource_EXPLOIT-DB | |
| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q4/175"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities"
},
{
"name": "63340",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/63340"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q4/171"
},
{
"name": "55453",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55453"
},
{
"name": "98903",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/98903"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-10-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-05-14T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q4/175"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities"
},
{
"name": "63340",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/63340"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q4/171"
},
{
"name": "55453",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55453"
},
{
"name": "98903",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/98903"
},
{
"name": "29513",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4467",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q4/175"
},
{
"name": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities"
},
{
"name": "63340",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/63340"
},
{
"name": "[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q4/171"
},
{
"name": "55453",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/55453"
},
{
"name": "98903",
"refsource": "OSVDB",
"url": "http://osvdb.org/98903"
},
{
"name": "29513",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"name": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4467",
"datePublished": "2014-03-11T15:00:00",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:45:14.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-34876
Vulnerability from cvelistv5
Published
2022-07-05 15:40
Modified
2024-09-16 17:23
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af | x_refsource_CONFIRM | |
| https://github.com/rapid7/metasploit-framework/pull/16732 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:22:10.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"lessThan": "3555",
"status": "affected",
"version": "2.14b0.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"datePublic": "2022-06-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
],
"exploits": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-05T15:40:15",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple SQL injection vulnerability at /vicidial/admin.php.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-06-30T21:07:00.000Z",
"ID": "CVE-2022-34876",
"STATE": "PUBLIC",
"TITLE": "VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple SQL injection vulnerability at /vicidial/admin.php."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VICIdial",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.14b0.5",
"version_value": "3555"
}
]
}
}
]
},
"vendor_name": "VICIdial"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "h00die for discovery, disclosure, and exploit. Matt Florell with VICIdial for patching the software."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
}
]
},
"exploit": [
{
"lang": "en",
"value": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af",
"refsource": "CONFIRM",
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"name": "https://github.com/rapid7/metasploit-framework/pull/16732",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to SVN release 3583 or later."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-34876",
"datePublished": "2022-07-05T15:40:15.708483Z",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-09-16T17:23:59.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-46557
Vulnerability from cvelistv5
Published
2022-02-15 10:27
Modified
2024-08-04 05:10
Severity ?
EPSS score ?
Summary
Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Zeyad-Azima/Vicidial-stored-XSS | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:10:35.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-15T10:27:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-46557",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS",
"refsource": "MISC",
"url": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-46557",
"datePublished": "2022-02-15T10:27:24",
"dateReserved": "2022-01-24T00:00:00",
"dateUpdated": "2024-08-04T05:10:35.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2022-07-05 16:15
Modified
2024-11-21 07:10
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.14b0.5:3555:*:*:*:*:*:*",
"matchCriteriaId": "8F2D723A-5E19-41E1-8E36-D749C6A6C25F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
},
{
"lang": "es",
"value": "Unas vulnerabilidades de tipo Cross Site Scripting (XSS) Reflejadas en la interfaz de la hoja de tiempo del agente AST (/vicidial/AST_agent_time_sheet.php) de VICIdial por medio del agente y los par\u00e1metros search_archived_data.\u0026#xa0;Este problema afecta: VICIdial versiones 2.14b0.5 anteriores a 3555"
}
],
"id": "CVE-2022-34879",
"lastModified": "2024-11-21T07:10:21.610",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "cve@rapid7.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-05T16:15:08.320",
"references": [
{
"source": "cve@rapid7.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
],
"sourceIdentifier": "cve@rapid7.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve@rapid7.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-11 19:37
Modified
2024-11-21 01:55
Severity ?
Summary
Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vicidial:vicidial:*:-:*:*:*:*:*:*",
"matchCriteriaId": "82552078-00AF-44B1-947A-588912E2C4E3",
"versionEndIncluding": "2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAEBD3E3-E1BC-4A69-848C-4CDBCA459578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.8:403a:*:*:*:*:*:*",
"matchCriteriaId": "F1B91016-3389-4F8C-B9DB-C41A6B19F2FD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n de SQL en la interfaz de agente (agc/) en el marcador VICIDIAL (tambi\u00e9n conocido como Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1 y anteriores permiten a (1) atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de la variable campaign en SCRIPT_multirecording_AJAX.php, (2) usuarios remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro server_ip hacia manager_send.php o (3) otros vectores no especificados. NOTA: algunos de estos detalles se obtienen de informaci\u00f3n de terceros partes."
}
],
"id": "CVE-2013-4467",
"lastModified": "2024-11-21T01:55:37.517",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-11T19:37:03.053",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/98903"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://seclists.org/oss-sec/2013/q4/171"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://seclists.org/oss-sec/2013/q4/175"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/55453"
},
{
"source": "secalert@redhat.com",
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/63340"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/98903"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/oss-sec/2013/q4/171"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/oss-sec/2013/q4/175"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/55453"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/63340"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-05 16:15
Modified
2024-11-21 07:10
Severity ?
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.14b0.5:3555:*:*:*:*:*:*",
"matchCriteriaId": "8F2D723A-5E19-41E1-8E36-D749C6A6C25F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en la interfaz de administraci\u00f3n (/vicidial/admin.php) de VICIdial por medio de los par\u00e1metros modify_email_accounts, access_recordings y agentcall_email permite al atacante falsificar la identidad, alterar los datos existentes, permitir la divulgaci\u00f3n completa de todos los datos en el sistema, destruir los datos o deje que no est\u00e9 disponible y convi\u00e9rtase en administrador del servidor de la base de datos.\u0026#xa0;Este problema afecta: VICIdial versiones 2.14b0.5 anteriores a 3555"
}
],
"id": "CVE-2022-34876",
"lastModified": "2024-11-21T07:10:21.210",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "cve@rapid7.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-05T16:15:08.033",
"references": [
{
"source": "cve@rapid7.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
},
{
"source": "cve@rapid7.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
],
"sourceIdentifier": "cve@rapid7.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cve@rapid7.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-15 11:15
Modified
2024-11-21 06:34
Severity ?
Summary
Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Zeyad-Azima/Vicidial-stored-XSS | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Zeyad-Azima/Vicidial-stored-XSS | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.14-783a:*:*:*:*:*:*:*",
"matchCriteriaId": "97C9D7F9-26D4-4BB9-9A37-B21DA7262C09",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs."
},
{
"lang": "es",
"value": "Se ha detectado que Vicidial versi\u00f3n 2.14-783a contiene una vulnerabilidad de tipo cross-site scripting (XSS) por medio de las pesta\u00f1as de entrada"
}
],
"id": "CVE-2021-46557",
"lastModified": "2024-11-21T06:34:19.320",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-15T11:15:07.990",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Zeyad-Azima/Vicidial-stored-XSS"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-06 20:15
Modified
2024-11-21 06:12
Severity ?
Summary
Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.9-401c:140612-1626:*:*:*:*:*:*",
"matchCriteriaId": "6BC258B2-56BC-4695-8014-D520DF82439B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.10-415c:140918-1606:*:*:*:*:*:*",
"matchCriteriaId": "4EDDE441-9864-4C0A-A342-8CBA5655C3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.14-597c:191114-0949:*:*:*:*:*:*",
"matchCriteriaId": "F042CF37-57C4-44B8-8D0E-CDE3430F0CD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.14-610c:200528-2239:*:*:*:*:*:*",
"matchCriteriaId": "0801E19A-9EB7-4CF5-9C0C-6012192353DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters."
}
],
"id": "CVE-2021-35377",
"lastModified": "2024-11-21T06:12:16.080",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-06T20:15:09.497",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://vicidial.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=2\u0026t=41634"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://vicidial.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=2\u0026t=41634"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-05 16:15
Modified
2024-11-21 07:10
Severity ?
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.14b0.5:3555:*:*:*:*:*:*",
"matchCriteriaId": "8F2D723A-5E19-41E1-8E36-D749C6A6C25F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en la interfaz User Stats (/vicidial/user_stats.php) de VICIdial por medio del par\u00e1metro file_download permite al atacante falsificar la identidad, alterar los datos existentes, permitir la divulgaci\u00f3n completa de todos los datos en el sistema, destruir los datos o hacerlo de otra manera no disponible y convertirse en administradores del servidor de la base de datos"
}
],
"id": "CVE-2022-34878",
"lastModified": "2024-11-21T07:10:21.467",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "cve@rapid7.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-05T16:15:08.243",
"references": [
{
"source": "cve@rapid7.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
},
{
"source": "cve@rapid7.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
],
"sourceIdentifier": "cve@rapid7.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cve@rapid7.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-05 16:15
Modified
2024-11-21 07:10
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.14b0.5:3555:*:*:*:*:*:*",
"matchCriteriaId": "8F2D723A-5E19-41E1-8E36-D749C6A6C25F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en la interfaz Agent Time Sheet AST ((/vicidial/AST_agent_time_sheet.php) de VICIdial por medio del par\u00e1metro agent permite al atacante falsificar la identidad, alterar los datos existentes, permitir la divulgaci\u00f3n completa de todos los datos en el sistema, destruir los datos o haga que no est\u00e9 disponible y convi\u00e9rtase en administrador del servidor de la base de datos. Este problema afecta a: VICIdial versiones 2.14b0.5 anteriores a 3555"
}
],
"id": "CVE-2022-34877",
"lastModified": "2024-11-21T07:10:21.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "cve@rapid7.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-05T16:15:08.167",
"references": [
{
"source": "cve@rapid7.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
},
{
"source": "cve@rapid7.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/16732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4\u0026t=41300\u0026sid=aacb27a29fefd85265b4d55fe51122af"
}
],
"sourceIdentifier": "cve@rapid7.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cve@rapid7.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-05-17 19:55
Modified
2024-11-21 02:00
Severity ?
Summary
VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vicidial:vicidial:*:403a:*:*:*:*:*:*",
"matchCriteriaId": "DC961189-962A-45D6-81A9-46ABE8E4D3C3",
"versionEndIncluding": "2.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.7:-:*:*:*:*:*:*",
"matchCriteriaId": "79562790-DBEF-47D7-A37A-35214A3CD589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAEBD3E3-E1BC-4A69-848C-4CDBCA459578",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access."
},
{
"lang": "es",
"value": "El marcador VICIDIAL (tambi\u00e9n conocido como Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1 y anteriores tiene una contrase\u00f1a embebida de donotedit para los usuarios de (1) VDAD y (2) VDCL, lo que facilita a atacantes remotos obtener acceso."
}
],
"id": "CVE-2013-7382",
"lastModified": "2024-11-21T02:00:53.410",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-05-17T19:55:02.793",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"source": "cve@mitre.org",
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-255"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-05-14 19:55
Modified
2024-11-21 01:55
Severity ?
Summary
VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vicidial:vicidial:*:403a:*:*:*:*:*:*",
"matchCriteriaId": "DC961189-962A-45D6-81A9-46ABE8E4D3C3",
"versionEndIncluding": "2.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.7:-:*:*:*:*:*:*",
"matchCriteriaId": "79562790-DBEF-47D7-A37A-35214A3CD589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vicidial:vicidial:2.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAEBD3E3-E1BC-4A69-848C-4CDBCA459578",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php."
},
{
"lang": "es",
"value": "El marcador VICIDIAL (tambi\u00e9n conocido como Asterisk GUI Client) 2.8-403a, 2.7, 2.7RC1 y anteriores permite a usuarios remotos autenticados ejecutar comandos arbitrarios a trav\u00e9s de metacaracteres de shell en el par\u00e1metro extension en una acci\u00f3n OriginateVDRelogin hacia manager_send.php."
}
],
"evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/77.html\n\n\"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"",
"id": "CVE-2013-4468",
"lastModified": "2024-11-21T01:55:37.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-05-14T19:55:10.077",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/29513"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/23/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/25/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}