module
VICIdial Multiple Authenticated SQLi
| Disclosed |
|---|
| Apr 19, 2022 |
Disclosed
Apr 19, 2022
Description
This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to
svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).
Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter.
Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter.
Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter.
Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter.
Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter.
VICIdial does not encrypt passwords by default.
svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).
Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter.
Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter.
Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter.
Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter.
Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter.
VICIdial does not encrypt passwords by default.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.