9.8
CRITICAL
CVE-2024-8503
VICIdial SQL Injection Vulnerability
Description

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.

INFO

Published Date :

Sept. 10, 2024, 8:15 p.m.

Last Modified :

Nov. 21, 2024, 9:53 a.m.

Source :

bbf0bd87-ece2-41be-b873-96928ee8fab9

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
Public PoC/Exploit Available at Github

CVE-2024-8503 has a 2 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-8503 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Vicidial vicidial
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-8503.

URL Resource
https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt
https://www.vicidial.org/vicidial.php
http://seclists.org/fulldisclosure/2024/Sep/25

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

VICIdial Unauthenticated SQLi to RCE Exploit (CVE-2024-8503 and CVE-2024-8504)

Python

Updated: 3 weeks, 1 day ago
38 stars 5 fork 5 watcher
Born at : Sept. 14, 2024, 6:27 a.m. This repo has been linked 2 different CVEs too.

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 2 weeks, 1 day ago
6566 stars 1140 fork 1140 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 958 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-8503 vulnerability anywhere in the article.

  • Cybersecurity News
Apache Roller Patches CSRF Flaw CVE-2024-46911 in Latest Update

The Apache Software Foundation has released a security update for Apache Roller, a popular Java-based blogging platform. This update addresses a critical Cross-site Request Forgery (CSRF) vulnerabilit ... Read more

Published Date: Oct 14, 2024 (2 months, 1 week ago)
  • Cybersecurity News
Google Pays $55,000 Bounty for Chrome Security Flaw

Google has released a Stable Channel update for Chrome on Windows, Mac, and Linux, bringing the browser to version 129.0.6668.100/.101. The update is expected to roll out over the next few days and in ... Read more

Published Date: Oct 09, 2024 (2 months, 1 week ago)
  • Cybersecurity News
Microsoft’s October 2024 Patch Tuesday: Zero-Day Exploits and Critical Vulnerabilities Patched

Microsoft’s October 2024 Patch Tuesday delivered a crucial set of security updates, addressing a total of 121 vulnerabilities across its ecosystem. This includes three critical vulnerabilities and 114 ... Read more

Published Date: Oct 09, 2024 (2 months, 1 week ago)
  • Cybersecurity News
CyberVolk: From Hacktivism to Ransomware – Researcher Exposes New Threat

CyberVolk dialog window | Image: Rapid7Cybersecurity researchers at Rapid7 Labs have released a detailed report on CyberVolk, a politically motivated hacktivist group that transitioned into using rans ... Read more

Published Date: Oct 07, 2024 (2 months, 2 weeks ago)
  • Cybersecurity News
CVE-2024-5102: Avast Antivirus Flaw Could Allow Hackers to Delete Files and Run Code as SYSTEM

A high-severity vulnerability (CVE-2024-5102) has been discovered in Avast Antivirus for Windows, potentially allowing attackers to gain elevated privileges and wreak havoc on users’ systems. This fla ... Read more

Published Date: Oct 03, 2024 (2 months, 2 weeks ago)
  • Cybersecurity News
CVE-2024-20432 (CVSS 9.9): Cisco Nexus Dashboard Fabric Controller Exposed to RCE

Cisco has issued a security advisory addressing a critical vulnerability (CVE-2024-20432) in its Nexus Dashboard Fabric Controller (NDFC). This flaw, which carries a severity rating of 9.9 out of 10 o ... Read more

Published Date: Oct 03, 2024 (2 months, 2 weeks ago)
  • Cybersecurity News
PoC Exploit Releases for Zimbra RCE Flaw CVE-2024-45519: Mass Exploitation Detected

Image: ptswarmZimbra, one of the most widely used email and collaboration platforms globally, has recently been identified as vulnerable to a critical security flaw that could allow attackers to take ... Read more

Published Date: Oct 02, 2024 (2 months, 2 weeks ago)
  • Cybersecurity News
CVE-2024-8940 (CVSS 10): Critical Flaw in Scriptcase Low-Code Platform Leaves Developers at Risk

Developers using the popular low-code platform Scriptcase are urged to update their software immediately after discovering three critical vulnerabilities that could expose their applications to seriou ... Read more

Published Date: Oct 02, 2024 (2 months, 2 weeks ago)
  • Cybersecurity News
30 Exploitable Flaws: Alarming Study on Home Router Defaults

A study titled “Exposed by Default: A Security Analysis of Home Router Default Settings” has shed light on the pervasive vulnerabilities present in home routers, highlighting significant risks associa ... Read more

Published Date: Sep 25, 2024 (2 months, 3 weeks ago)
  • Cybersecurity News
Unmasking “Marko Polo”: The Infostealer Gang Targeting Thousands

Marko Polo infection chain (Source: Recorded Future)Researchers at Recorded Future have uncovered a large-scale cyberattack affecting tens of thousands of devices worldwide. It was later revealed that ... Read more

Published Date: Sep 20, 2024 (3 months ago)
  • Cybersecurity News
CISA Flags Two Actively Exploited Vulnerabilities: Critical Threats to Windows and WhatsUp Gold

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning, adding two actively exploited security flaws to its Known Exploited Vulnerabilities (KEV) catalog, urging immedia ... Read more

Published Date: Sep 17, 2024 (3 months ago)
  • Cybersecurity News
Critical Flaws Found in VICIdial Contact Center Suite: CVE-2024-8503 and CVE-2024-8504, PoC Published

In a concerning development for call centers using VICIdial, a popular open-source contact center solution, two high-severity security vulnerabilities have been discovered that could lead to severe da ... Read more

Published Date: Sep 17, 2024 (3 months ago)
  • seclists.org
KL-001-2024-012: VICIdial Authenticated Remote Code Execution

Full Disclosure mailing list archives KL-001-2024-012: VICIdial Authenticated Remote Code Execution From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure () seclists org> Date: Tue, 10 Sep 20 ... Read more

Published Date: Sep 10, 2024 (3 months, 1 week ago)
  • seclists.org
KL-001-2024-011: VICIdial Unauthenticated SQL Injection

Full Disclosure mailing list archives From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure () seclists org> Date: Tue, 10 Sep 2024 14:28:59 -0500 KL-001-2024-011: VICIdial Unauthenticated SQ ... Read more

Published Date: Sep 10, 2024 (3 months, 1 week ago)

The following table lists the changes that have been made to the CVE-2024-8503 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference http://seclists.org/fulldisclosure/2024/Sep/25
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Sep. 10, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE Received by bbf0bd87-ece2-41be-b873-96928ee8fab9

    Sep. 10, 2024

    Action Type Old Value New Value
    Added Description An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
    Added Reference KoreLogic https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt [No types assigned]
    Added Reference KoreLogic https://www.vicidial.org/vicidial.php [No types assigned]
    Added CWE KoreLogic CWE-89
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-8503 is associated with the following CWEs:

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability