CVE-2025-34099

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-34099
An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.
CVSS

No CVSS.

References
Link Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb
https://vulncheck.com/advisories/vicidial-unauth-command-injection
https://www.exploit-db.com/exploits/42370
https://www.vicidial.org/VICIDIALmantis/view.php?id=1016
Configurations

No configuration.

History

07 Aug 2025, 14:15

Type Values Removed Values Added
Summary (en) An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. (en) An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.

14 Jul 2025, 15:15

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de inyección de comandos no autenticados en las versiones 2.9 RC1 a 2.13 RC1 de VICIdial, dentro del componente vicidial_sales_viewer.php cuando el cifrado de contraseña está habilitado (una configuración no predeterminada). La aplicación pasa incorrectamente la contraseña de autenticación básica HTTP directamente a una llamada a exec() sin la debida autorización. Esto permite a atacantes remotos inyectar y ejecutar comandos arbitrarios del sistema operativo como si fueran el usuario del servidor web.
References
  • () https://www.vicidial.org/VICIDIALmantis/view.php?id=1016 -

10 Jul 2025, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-10 20:15

Updated : 2025-08-07 14:15

NVD link : CVE-2025-34099

Mitre link : CVE-2025-34099

CVE.ORG link : CVE-2025-34099

JSON object : View

Products Affected

No product.

CWE
CWE-20

Improper Input Validation

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')