{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8503", "assignerOrgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9", "state": "PUBLISHED", "assignerShortName": "KoreLogic", "dateReserved": "2024-09-05T21:29:03.299Z", "datePublished": "2024-09-10T19:22:40.111Z", "dateUpdated": "2024-09-10T21:02:45.121Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Linux"], "product": "VICIdial", "vendor": "VICIdial", "versions": [{"status": "affected", "version": "2.14-917a"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jaggar Henry of KoreLogic, Inc."}], "datePublic": "2024-09-10T19:22:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database."}], "value": "An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9", "shortName": "KoreLogic", "dateUpdated": "2024-09-10T19:22:40.111Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt"}, {"tags": ["product"], "url": "https://www.vicidial.org/vicidial.php"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08.<br>"}], "value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08."}], "source": {"discovery": "UNKNOWN"}, "title": "VICIdial Unauthenticated SQL Injection", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "vicidial", "product": "vicidial", "cpes": ["cpe:2.3:a:vicidial:vicidial:2.14-917a:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.14-917a", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-10T19:30:58.340394Z", "id": "CVE-2024-8503", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-10T19:36:08.120Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2024/Sep/25"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-10T21:02:45.121Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2024/Sep/25"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-10T21:02:45.121Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-8503", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-10T19:30:58.340394Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:vicidial:vicidial:2.14-917a:*:*:*:*:*:*:*"], "vendor": "vicidial", "product": "vicidial", "versions": [{"status": "affected", "version": "2.14-917a"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-10T19:35:47.224Z"}}], "cna": {"title": "VICIdial Unauthenticated SQL Injection", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Jaggar Henry of KoreLogic, Inc."}], "affected": [{"vendor": "VICIdial", "product": "VICIdial", "versions": [{"status": "affected", "version": "2.14-917a"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08.", "supportingMedia": [{"type": "text/html", "value": "This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08.<br>", "base64": false}]}], "datePublic": "2024-09-10T19:22:00.000Z", "references": [{"url": "https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt", "tags": ["third-party-advisory"]}, {"url": "https://www.vicidial.org/vicidial.php", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.", "supportingMedia": [{"type": "text/html", "value": "An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9", "shortName": "KoreLogic", "dateUpdated": "2024-09-10T19:22:40.111Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8503", "state": "PUBLISHED", "dateUpdated": "2024-09-10T21:02:45.121Z", "dateReserved": "2024-09-05T21:29:03.299Z", "assignerOrgId": "bbf0bd87-ece2-41be-b873-96928ee8fab9", "datePublished": "2024-09-10T19:22:40.111Z", "assignerShortName": "KoreLogic"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database."}, {"lang": "es", "value": "Un atacante no autenticado puede aprovechar una vulnerabilidad de inyecci\u00f3n SQL basada en tiempo en VICIdial para enumerar registros de la base de datos. De manera predeterminada, VICIdial almacena credenciales de texto plano dentro de la base de datos."}], "id": "CVE-2024-8503", "lastModified": "2024-11-21T09:53:17.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-09-10T20:15:05.283", "references": [{"source": "bbf0bd87-ece2-41be-b873-96928ee8fab9", "url": "https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt"}, {"source": "bbf0bd87-ece2-41be-b873-96928ee8fab9", "url": "https://www.vicidial.org/vicidial.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Sep/25"}], "sourceIdentifier": "bbf0bd87-ece2-41be-b873-96928ee8fab9", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "bbf0bd87-ece2-41be-b873-96928ee8fab9", "type": "Secondary"}]}

{}