CVE-2022-34877 : SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST

SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.

Published 2022-07-05 16:15:08

Updated 2022-07-13 18:16:50

Source Rapid7, Inc.

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2022-34877

Vicidial » Vicidial » Version: 2.14b0.5 Update 3555
cpe:2.3:a:vicidial:vicidial:2.14b0.5:3555:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-34877

EPSS FAQ

53.94%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 98 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2022-34877

VICIdial Multiple Authenticated SQLi

Disclosure Date: 2022-04-19

First seen: 2022-12-23

auxiliary/scanner/http/vicidial_multiple_sqli

This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable). Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts

More information

CVSS scores for CVE-2022-34877

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.0	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:C	8.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
6.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	3.1	2.7	cve@rapid7.con
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: Low Integrity: Low Availability: None
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-34877

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Assigned by:
- cve@rapid7.con (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2022-34877

https://github.com/rapid7/metasploit-framework/pull/16732

VICIdial SQLi placeholder (CVE-2022-34876, CVE-2022-34877, CVE-2022-34878) by h00die · Pull Request #16732 · rapid7/metasploit-framework · GitHub
Patch;Third Party Advisory

CVEs referencing this url
https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af

vicidial.org • View topic - Recommended VICIdial Security Upgrade Notice: April 2022
Vendor Advisory

CVEs referencing this url

Jump to