CVE-2024-8503

CRITICAL EXPLOITED NUCLEI

VICIdial Authenticated Remote Code Execution

Title source: metasploit

Description

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.

Exploits (3)

github WORKING POC 41 stars

by Chocapikk · pythonremote

https://github.com/Chocapikk/CVE-2024-8504

View Code ZIP pw:eip

metasploit WORKING POC

by Valentin Lobstein, Jaggar Henry of KoreLogic, Inc. · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/vicidial_sql_enum_users_pass.rb

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Valentin Lobstein, Jaggar Henry of KoreLogic, Inc. · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_agent_authenticated_rce.rb

View Code ZIP pw:eip

Nuclei Templates (1)

VICIdial - SQL Injection

CRITICALVERIFIEDby s4e-io

FOFA: icon_hash="1375401192"

References (4)

[Various Sources] https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt

[Various Sources] https://www.vicidial.org/vicidial.php

[Mailing List] http://seclists.org/fulldisclosure/2024/Sep/25

[Mailing List] http://seclists.org/fulldisclosure/2024/Sep/26

Scores

CVSS v3 9.8

EPSS 0.9213

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-03-19

CWE

CWE-89

Status published

Products (1)

VICIdial/VICIdial 2.14-917a

Published Sep 10, 2024

Tracked Since Feb 18, 2026