CVE-2013-7382 - VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded passwor

CVE-2013-7382

Summary

VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access.

References

Vulnerable Configurations

cpe:2.3:a:vicidial:vicidial:2.7:-:*:*:*:*:*:*
cpe:2.3:a:vicidial:vicidial:2.7:-:*:*:*:*:*:*
cpe:2.3:a:vicidial:vicidial:2.7:rc1:*:*:*:*:*:*
cpe:2.3:a:vicidial:vicidial:2.7:rc1:*:*:*:*:*:*
cpe:2.3:a:vicidial:vicidial:2.8:403a:*:*:*:*:*:*
cpe:2.3:a:vicidial:vicidial:2.8:403a:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 19-05-2014 - 15:46)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:P/A:N

refmap via4

exploit-db	29513
misc	https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/
mlist	[oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection [oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection

Last major update

19-05-2014 - 15:46

Published

17-05-2014 - 19:55

Last modified

19-05-2014 - 15:46