CVE-2024-8503
VICIdial SQL Injection Vulnerability
Description
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
INFO
Published Date :
Sept. 10, 2024, 8:15 p.m.
Last Modified :
Sept. 11, 2024, 4:26 p.m.
Source :
bbf0bd87-ece2-41be-b873-96928ee8fab9
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
3.9
Public PoC/Exploit Available at Github
CVE-2024-8503 has a 1 public PoC/Exploit
available at Github.
Go to the Public Exploits
tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-8503
.
URL | Resource |
---|---|
https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt | |
https://www.vicidial.org/vicidial.php |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
VICIdial Unauthenticated SQLi to RCE Exploit (CVE-2024-8503 and CVE-2024-8504)
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-8503
vulnerability anywhere in the article.
- Cybersecurity News
Google Pays $55,000 Bounty for Chrome Security Flaw
Google has released a Stable Channel update for Chrome on Windows, Mac, and Linux, bringing the browser to version 129.0.6668.100/.101. The update is expected to roll out over the next few days and in ... Read more
- Cybersecurity News
Microsoft’s October 2024 Patch Tuesday: Zero-Day Exploits and Critical Vulnerabilities Patched
Microsoft’s October 2024 Patch Tuesday delivered a crucial set of security updates, addressing a total of 121 vulnerabilities across its ecosystem. This includes three critical vulnerabilities and 114 ... Read more
- Cybersecurity News
CyberVolk: From Hacktivism to Ransomware – Researcher Exposes New Threat
CyberVolk dialog window | Image: Rapid7Cybersecurity researchers at Rapid7 Labs have released a detailed report on CyberVolk, a politically motivated hacktivist group that transitioned into using rans ... Read more
- Cybersecurity News
CVE-2024-5102: Avast Antivirus Flaw Could Allow Hackers to Delete Files and Run Code as SYSTEM
A high-severity vulnerability (CVE-2024-5102) has been discovered in Avast Antivirus for Windows, potentially allowing attackers to gain elevated privileges and wreak havoc on users’ systems. This fla ... Read more
- Cybersecurity News
CVE-2024-20432 (CVSS 9.9): Cisco Nexus Dashboard Fabric Controller Exposed to RCE
Cisco has issued a security advisory addressing a critical vulnerability (CVE-2024-20432) in its Nexus Dashboard Fabric Controller (NDFC). This flaw, which carries a severity rating of 9.9 out of 10 o ... Read more
- Cybersecurity News
CVE-2024-8940 (CVSS 10): Critical Flaw in Scriptcase Low-Code Platform Leaves Developers at Risk
Developers using the popular low-code platform Scriptcase are urged to update their software immediately after discovering three critical vulnerabilities that could expose their applications to seriou ... Read more
- Cybersecurity News
30 Exploitable Flaws: Alarming Study on Home Router Defaults
A study titled “Exposed by Default: A Security Analysis of Home Router Default Settings” has shed light on the pervasive vulnerabilities present in home routers, highlighting significant risks associa ... Read more
- Cybersecurity News
Unmasking “Marko Polo”: The Infostealer Gang Targeting Thousands
Marko Polo infection chain (Source: Recorded Future)Researchers at Recorded Future have uncovered a large-scale cyberattack affecting tens of thousands of devices worldwide. It was later revealed that ... Read more
- Cybersecurity News
CISA Flags Two Actively Exploited Vulnerabilities: Critical Threats to Windows and WhatsUp Gold
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning, adding two actively exploited security flaws to its Known Exploited Vulnerabilities (KEV) catalog, urging immedia ... Read more
- seclists.org
KL-001-2024-012: VICIdial Authenticated Remote Code Execution
Full Disclosure mailing list archives KL-001-2024-012: VICIdial Authenticated Remote Code Execution From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure () seclists org> Date: Tue, 10 Sep 20 ... Read more
- seclists.org
KL-001-2024-011: VICIdial Unauthenticated SQL Injection
Full Disclosure mailing list archives From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure () seclists org> Date: Tue, 10 Sep 2024 14:28:59 -0500 KL-001-2024-011: VICIdial Unauthenticated SQ ... Read more
The following table lists the changes that have been made to the
CVE-2024-8503
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Sep. 10, 2024
Action Type Old Value New Value Added CVSS V3.1 CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -
CVE Received by bbf0bd87-ece2-41be-b873-96928ee8fab9
Sep. 10, 2024
Action Type Old Value New Value Added Description An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database. Added Reference KoreLogic https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt [No types assigned] Added Reference KoreLogic https://www.vicidial.org/vicidial.php [No types assigned] Added CWE KoreLogic CWE-89
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-8503
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-8503
weaknesses.