QwikSec

Security Database

CVE

CWE

Training

CVE-2013-4467

Published: Mar 11, 2014

Modified: Aug 6, 2024

PUBLISHED

Description

Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

[oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection

mailing-list

x_refsource_MLIST

https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities

x_refsource_MISC

vdb-entry

x_refsource_BID

[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection

mailing-list

x_refsource_MLIST

third-party-advisory

x_refsource_SECUNIA

vdb-entry

x_refsource_OSVDB

exploit

x_refsource_EXPLOIT-DB

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.