CVE-2013-4467

Name of the Vulnerable Software and Affected Versions VICIDIAL dialer versions 2.8-403a, 2.7, 2.7RC1, and earlier

Description The issue concerns SQL injection vulnerabilities in the agent interface of VICIDIAL dialer. These vulnerabilities allow remote attackers to execute arbitrary SQL commands via the campaign variable in "SCRIPT multirecording AJAX.php", or remote authenticated users to execute arbitrary SQL commands via the server ip parameter to "manager send.php". There are also other unspecified vectors.

Recommendations For versions 2.8-403a, 2.7, 2.7RC1, and earlier, consider disabling access to the "SCRIPT multirecording AJAX.php" and "manager send.php" scripts until a patch is available. Restrict access to the campaign variable and server ip parameter to minimize the risk of exploitation.