An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
History

Thu, 12 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Vicidial
Vicidial vicidial
CPEs cpe:2.3:a:vicidial:vicidial:2.14-917a:*:*:*:*:*:*:*
Vendors & Products Vicidial
Vicidial vicidial
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 10 Sep 2024 19:45:00 +0000

Type Values Removed Values Added
Description An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
Title VICIdial Authenticated Remote Code Execution
Weaknesses CWE-78
References

cve-icon MITRE

Status: PUBLISHED

Assigner: KoreLogic

Published: 2024-09-10T19:23:39.327Z

Updated: 2024-09-12T13:52:49.969Z

Reserved: 2024-09-05T21:29:06.095Z

Link: CVE-2024-8504

cve-icon Vulnrichment

Updated: 2024-09-12T13:52:45.180Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-09-10T20:15:05.363

Modified: 2024-09-12T14:35:23.173

Link: CVE-2024-8504

cve-icon Redhat

No data.