| |
Vulnerability CVE-2022-34878
Published: 2022-07-05
| Description: |
SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. |
Type:
CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
CVSS2 => (AV:N/AC:L/Au:S/C:C/I:C/A:C)
| CVSS Base Score |
Impact Subscore |
Exploitability Subscore |
9/10 |
10/10 |
8/10 |
| Exploit range |
Attack complexity |
Authentication |
Remote |
Low |
Single time |
| Confidentiality impact |
Integrity impact |
Availability impact |
Complete |
Complete |
Complete |
References: |
https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af
https://github.com/rapid7/metasploit-framework/pull/16732
|
|
|
Copyright 2024, cxsecurity.com
|
|
|
