What is CVE-2024-8503?

CVE-2024-8503 is a vulnerability in Vicidial, classified under SQL Injection. Published 2024-09-10.

Is CVE-2024-8503 known to be exploited?

8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SQL Injection in Vicidial

CVE-2024-8503

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.

Vulnerability class: SQL Injection

EPSS: 0.931 (99.8th percentile) — read the EPSS interpretation.

Affected products

Vicidial — versions 2.14-917a

Weakness classification (CWE)

CWE-89 — SQL Injection

Public proof-of-concept exploits

Machine-farmer/vicidial-cve-2024-8503-blind-sqli-poc
rapid7/metasploit-framework
20142995/nuclei-templates
ARPSyndicate/cve-scores
Chocapikk/CVE-2024-8504
cyb3r-w0lf/nuclei-template-collection
fkie-cad/nvd-json-data-feeds
nomi-sec/PoC-in-GitHub

References

korelogic.com/Resources/Advisories/KL-001-2024-011.txt (third-party-advisory)
www.vicidial.org/vicidial.php (product)

Frequently asked questions

What is CVE-2024-8503?: CVE-2024-8503 is a vulnerability in Vicidial, classified under SQL Injection. Published 2024-09-10.
Is CVE-2024-8503 known to be exploited?: 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.