Critical Flaws Found in VICIdial Contact Center Suite: CVE-2024-8503 and CVE-2024-8504, PoC Published
Two critical security vulnerabilities have been identified in the VICIdial open-source contact center solution, which is widely used with over 14,000 installations worldwide. The first vulnerability, CVE-2024-8503, is a time-based SQL injection that can be exploited without authentication, allowing attackers to access sensitive data from the VICIdial database. The second, CVE-2024-8504, allows authenticated users with "agent" level access to execute arbitrary shell commands with the highest system privileges, potentially leading to a full system compromise. A proof-of-concept exploit has been published on Github by a security researcher, making it easier for attackers to exploit these vulnerabilities. Users of VICIdial are urged to update their systems immediately to the latest version that includes fixes for these vulnerabilities, as any delay could lead to severe consequences. CVEs: CVE-2024-8503, CVE-2024-8504 [View Article](https://securityonline.info/critical-flaws-found-in-vicidial-contact-center-suite-cve-2024-8503-and-cve-2024-8504-poc-published/)