ID CVE-2013-4468
Summary VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php. Per: http://cwe.mitre.org/data/definitions/77.html "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"
References
Vulnerable Configurations
  • cpe:2.3:a:vicidial:vicidial:2.7:-:*:*:*:*:*:*
    cpe:2.3:a:vicidial:vicidial:2.7:-:*:*:*:*:*:*
  • cpe:2.3:a:vicidial:vicidial:2.7:rc1:*:*:*:*:*:*
    cpe:2.3:a:vicidial:vicidial:2.7:rc1:*:*:*:*:*:*
  • cpe:2.3:a:vicidial:vicidial:2.8:403a:*:*:*:*:*:*
    cpe:2.3:a:vicidial:vicidial:2.8:403a:*:*:*:*:*:*
CVSS
Base: 6.5 (as of 15-05-2014 - 13:16)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
refmap via4
exploit-db 29513
misc https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/
mlist
  • [oss-security] 20131023 VICIDIAL 2.7 - SQL Injection, Command Injection
  • [oss-security] 20131024 Re: VICIDIAL 2.7 - SQL Injection, Command Injection
Last major update 15-05-2014 - 13:16
Published 14-05-2014 - 19:55
Last modified 15-05-2014 - 13:16
Back to Top