CVE-2022-34877

MEDIUM

Vicidial - SQL Injection

Title source: rule

Description

SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.

Exploits (1)

metasploit WORKING POC

by h00die · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/vicidial_multiple_sqli.rb

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/rapid7/metasploit-framework/pull/16732

[Vendor Advisory] https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af

Scores

CVSS v3 6.4

EPSS 0.4923

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Details

CWE

CWE-89

Status published

Products (1)

vicidial/vicidial 2.14b0.5 3555

Published Jul 05, 2022

Tracked Since Feb 18, 2026