Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-4467

Overview

Vulnerability Score 6.5 6.5
CVE Id CVE-2013-4467
Last Modified 20 May 2014 12:06:46
Published 11 Mar 2014 03:37:03
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2013-4467

Summary

Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information.

Vulnerable Systems

Application

  • Vicidial 2.7

  • Vicidial 2.8


References

MISC - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb

MISC - https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities

BID - 63340

SECUNIA - 55453

MLIST - [oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection

MLIST - [oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection

OSVDB - 98903

EXPLOIT-DB - 29513


Last Updated: 27 May 2016 11:04:37