VICIdial 2.14-917a SQL Injection exploit
A time-based SQL injection vulnerability was discovered in VICIdial version 2.14-917a, identified as CVE-2024-8503, which allows an unauthenticated attacker to enumerate database records. VICIdial, an open-source contact center suite, does not consistently sanitize user input across its scripts, leading to this security flaw. Specifically, the "VERM_AJAX_functions.php" script fails to sanitize the 'PHP_AUTH_USER' input before it is used in a SQL "INSERT" statement, making it possible to perform unauthenticated SQL injection. The vulnerability was discovered by Jaggar Henry of KoreLogic, Inc., and has been fixed in the public Subversion repository as of revision 3848 committed on July 8, 2024. KoreLogic confirmed the fix on July 11, 2024, and after a requested embargo period by VICIdial, the details were publicly disclosed on September 10, 2024. A proof of concept script is provided to demonstrate the exploitation process and enumerate the results of provided queries. CVEs: CVE-2024-8503 [View Article](https://sploitus.com/exploit?id=PACKETSTORM:181460)