CVE-2024-8503

Published Sep 10, 2024

Last updated 9 days ago

CVSS critical 9.8
IoT

Overview

Description
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
Source
bbf0bd87-ece2-41be-b873-96928ee8fab9
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

bbf0bd87-ece2-41be-b873-96928ee8fab9
CWE-89

Social media

Hype score
Not currently trending

  1. 🚨 New plugin: ViciboxVersionPlugin (CVE-2024-8503, CVE-2024-8504). VICIdial outdated version detection - unauthenticated SQL injection and authenticated RCE, versions <= 2.14-917a affected. Results: https://t.co/XFeugiRzvT https://t.co/8CaHUcfIpq

    @leak_ix

    21 Nov 2025

    290 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Exploit for CVE-2024-8504 & CVE-2024-8503: SQLi and RCE #Exploit #CVE-2024-8504 #SQLi #RCE #Vulnerabilities https://t.co/y5GuVkKBZW

    @reverseame

    21 Oct 2024

    3870 Impressions

    19 Retweets

    64 Likes

    26 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. Microsoft SharePoint Server Improper Input Validation VulnerabilityCVE-2026-32201
  2. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616
  3. A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation leads to reliance on ip address for authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.CVE-2026-4252
  4. A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to unprotected storage of credentials. The attack requires local access. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.CVE-2026-4251
  5. Google Skia Out-of-Bounds Write VulnerabilityCVE-2026-3909

References

Sources include official advisories and independent security research.