CVE-2022-34878

VICIDial 2.14b0.5 SVN 3550 was discovered to contain a SQL injection vulnerability at /vicidial/user_stats.php.

Description

SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

Remediation

Solution:

  • Upgrade to SVN release 3583 or later.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 51.18% Top 5%
Vendor Advisory vicidial.org
Affected: VICIdial VICIdial
Published at:
Updated at:

References

Link Tags
https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af vendor advisory
https://github.com/rapid7/metasploit-framework/pull/16732 third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2022-34878?
CVE-2022-34878 has been scored as a medium severity vulnerability.
How to fix CVE-2022-34878?
To fix CVE-2022-34878: Upgrade to SVN release 3583 or later.
Is CVE-2022-34878 being actively exploited in the wild?
It is possible that CVE-2022-34878 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~51% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-34878?
CVE-2022-34878 affects VICIdial VICIdial.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.