CVE-2013-4467 in VICIDIALinfo

Summary

by MITRE

Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/07/2026

The CVE-2013-4467 vulnerability represents a critical SQL injection flaw within the VICIDIAL dialer system, specifically targeting the agent interface component known as agc/. This vulnerability affects multiple versions of the Asterisk GUI client including 2.8-403a, 2.7, and 2.7RC1, creating a significant security risk for organizations utilizing this telephony management platform. The vulnerability stems from inadequate input validation and sanitization within the web interface components that handle user-supplied data, allowing malicious actors to manipulate database queries through carefully crafted inputs. The flaw exists in the SCRIPT_multirecording_AJAX.php script where the campaign variable is processed without proper sanitization, and in manager_send.php where the server_ip parameter lacks adequate validation measures.

The technical exploitation of this vulnerability occurs through three distinct attack vectors that collectively demonstrate the severity of the flaw. The first vector targets the campaign variable in SCRIPT_multirecording_AJAX.php, enabling remote attackers to inject malicious SQL commands that can execute with the privileges of the database user. The second vector involves authenticated users exploiting the server_ip parameter in manager_send.php, where the lack of input validation allows for arbitrary SQL command execution. These attack vectors align with CWE-89, which specifically addresses SQL injection vulnerabilities, and represent a clear violation of secure coding practices that should prevent user input from directly influencing database query construction. The third unspecified vector suggests that additional attack surfaces within the same interface may also be susceptible to similar exploitation techniques.

The operational impact of CVE-2013-4467 extends beyond simple data theft, as successful exploitation could enable attackers to gain complete control over the underlying database system. Remote attackers could potentially extract sensitive customer information, modify campaign configurations, access agent credentials, and manipulate call data records. The authenticated user vector presents particular concern as it allows individuals with legitimate access to escalate their privileges and execute unauthorized database operations. Organizations using this system may face compliance violations under regulations such as gdpr, hipaa, and pci dss due to the exposure of sensitive telephony data. The vulnerability also creates opportunities for attackers to establish persistent access through database backdoors or to conduct advanced persistent threat operations as outlined in the mitre att&ck framework, particularly under the execution and privilege escalation tactics.

Mitigation strategies for CVE-2013-4467 should focus on immediate patching of affected systems to the latest stable versions of VICIDIAL that address the SQL injection vulnerabilities. Organizations should implement proper input validation and parameterized queries throughout the affected components, ensuring that all user-supplied data is properly sanitized before database processing. Network segmentation and access controls should be strengthened to limit exposure of the agent interface to only authorized personnel. Regular security assessments and code reviews should be conducted to identify similar vulnerabilities in other web applications. The implementation of web application firewalls and database activity monitoring can provide additional layers of protection against exploitation attempts. Organizations should also consider implementing database-level security measures such as least privilege access controls, regular audit logging, and automated vulnerability scanning to detect and prevent similar attacks in other components of their telephony infrastructure.

Reservation

06/12/2013

Disclosure

03/11/2014

Moderation

accepted

Entry

VDB-66599

CPE

ready

Exploit

Download

EPSS

0.32773

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!