Vicidial

Vicidial

12 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.3

CVE-2025-34099

  • EPSS 19.99%
  • Veröffentlicht 10.07.2025 19:10:18
  • Zuletzt bearbeitet 07.08.2025 14:15:41

An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly pass...

9.8

CVE-2024-8503

  • EPSS 92.52%
  • Veröffentlicht 10.09.2024 20:15:05
  • Zuletzt bearbeitet 04.11.2025 17:16:17

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.

8.8

CVE-2024-8504

  • EPSS 92.34%
  • Veröffentlicht 10.09.2024 20:15:05
  • Zuletzt bearbeitet 04.11.2025 17:16:17

An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

6.1

CVE-2021-35377

  • EPSS 0.5%
  • Veröffentlicht 06.03.2023 20:15:09
  • Zuletzt bearbeitet 21.11.2024 06:12:16

Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters.

8.8

CVE-2022-34876

  • EPSS 53.2%
  • Veröffentlicht 05.07.2022 16:15:08
  • Zuletzt bearbeitet 21.11.2024 07:10:21

SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure ...

9

CVE-2022-34877

  • EPSS 49.23%
  • Veröffentlicht 05.07.2022 16:15:08
  • Zuletzt bearbeitet 21.11.2024 07:10:21

SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the sys...

9

CVE-2022-34878

  • EPSS 56.68%
  • Veröffentlicht 05.07.2022 16:15:08
  • Zuletzt bearbeitet 21.11.2024 07:10:21

SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy ...

6.1

CVE-2022-34879

  • EPSS 0.23%
  • Veröffentlicht 05.07.2022 16:15:08
  • Zuletzt bearbeitet 21.11.2024 07:10:21

Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.

5.4

CVE-2021-46557

Exploit
  • EPSS 0.21%
  • Veröffentlicht 15.02.2022 11:15:07
  • Zuletzt bearbeitet 21.11.2024 06:34:19

Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs.

5

CVE-2013-7382

Exploit
  • EPSS 6.3%
  • Veröffentlicht 17.05.2014 19:55:02
  • Zuletzt bearbeitet 12.04.2025 10:46:40

VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access.