CVE-2022-34877

MEDIUM

VICIdial < 2.14b0.5-3555 - SQL Injection via AST Agent Time Sheet Agent Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-34877. PoCs published by h00die, including Metasploit module auxiliary/scanner/http/vicidial_multiple_sqli.

AI-analyzed exploit summary This Metasploit module exploits multiple authenticated SQL injection vulnerabilities in VICIdial 2.14b0.5 prior to revision 3555. It targets five injection points in admin.php and other scripts to enumerate user credentials.

Description

SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.

Exploits (1)

metasploit WORKING POC
by h00die · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/vicidial_multiple_sqli.rb

This Metasploit module exploits multiple authenticated SQL injection vulnerabilities in VICIdial 2.14b0.5 prior to revision 3555. It targets five injection points in admin.php and other scripts to enumerate user credentials.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: VICIdial 2.14b0.5 (prior to svn/trunk revision 3555)
Auth required
Prerequisites: Valid VICIdial credentials · Access to vulnerable endpoints
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.4
EPSS 0.0269
EPSS Percentile 83.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Details

CWE
CWE-89
Status published
Products (1)
vicidial/vicidial 2.14b0.5 3555
Published Jul 05, 2022
Tracked Since Feb 18, 2026