CVE-2022-34878

CVE Database · CVE-2022-34878

CVE-2022-34878

· MEDIUMModified

CVSS v3.1

5.5

EPSS

2.73%

Published

Jul 5, 2022

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-89CWE-89

Affected Products (1)

vicidial · vicidialvulnerable

References (4)

https://github.com/rapid7/metasploit-framework/pull/16732

PatchThird Party Advisory

https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af

Vendor Advisory

https://github.com/rapid7/metasploit-framework/pull/16732

PatchThird Party Advisory

https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs