CVE-2022-34876
Published: 05 July 2022
Summary
CVE-2022-34876 is a medium-severity SQL Injection (CWE-89) vulnerability in Vicidial Vicidial. Its CVSS base score is 5.5 (Medium).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-34876 is a SQL injection vulnerability in the admin interface of VICIdial at /vicidial/admin.php, triggered through the modify_email_accounts, access_recordings, and agentcall_email parameters. The flaw affects VICIdial 2.14b0.5 versions prior to build 3555 and is tracked as CWE-89 with a CVSS 3.1 score of 5.5.
An authenticated administrator can supply crafted input over the network to alter SQL queries, resulting in the ability to spoof identities, tamper with or fully disclose data, render data unavailable, or obtain database server administrator privileges.
References point to a Metasploit Framework module and VICIdial forum threads that address the issue, with the affected versions explicitly noted as fixed beginning with build 3555. The associated EPSS score sits at a current and peak value of 0.5320.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-37780
Vulnerability details
SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it…
more
otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.