Cyber Resilience

CVE-2022-34876

MediumPublic PoC

Published: 05 July 2022

Published
05 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.5320 98.0th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-34876 is a medium-severity SQL Injection (CWE-89) vulnerability in Vicidial Vicidial. Its CVSS base score is 5.5 (Medium).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-34876 is a SQL injection vulnerability in the admin interface of VICIdial at /vicidial/admin.php, triggered through the modify_email_accounts, access_recordings, and agentcall_email parameters. The flaw affects VICIdial 2.14b0.5 versions prior to build 3555 and is tracked as CWE-89 with a CVSS 3.1 score of 5.5.

An authenticated administrator can supply crafted input over the network to alter SQL queries, resulting in the ability to spoof identities, tamper with or fully disclose data, render data unavailable, or obtain database server administrator privileges.

References point to a Metasploit Framework module and VICIdial forum threads that address the issue, with the affected versions explicitly noted as fixed beginning with build 3555. The associated EPSS score sits at a current and peak value of 0.5320.

EU & UK References

Vulnerability details

SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it…

more

otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vicidial
vicidial
2.14b0.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References