Products
VICIdial
- UNKNOWN
Source
bbf0bd87-ece2-41be-b873-96928ee8fab9
Tags
CVE-2024-8504 details
Published : Sept. 10, 2024, 8:15 p.m.
Last Modified : Sept. 10, 2024, 8:15 p.m.
Last Modified : Sept. 10, 2024, 8:15 p.m.
Description
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
References
| URL | Source |
|---|---|
| https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt | bbf0bd87-ece2-41be-b873-96928ee8fab9 |
| https://www.vicidial.org/vicidial.php | bbf0bd87-ece2-41be-b873-96928ee8fab9 |
This website uses the NVD API, but is not approved or certified by it.