#php

An attacker with authenticated access to VICIdial version 2.14-917a as an agent can execute arbitrary shell commands as the root user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial version 2.14-917a to enumerate database records. By default, VICIdial stores plaintext credentials within the database.

Queuing Simple Chatbot version 1.0 suffers from a remote shell upload vulnerability.

Profiling System version 1.0 suffers from a remote shell upload vulnerability.

Passion Responsive Blogging version 1.0 suffers from a cross site scripting vulnerability.

Online Survey System version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

Online Birth Certificate System version 1.0 suffers from an ignored default credential vulnerability.

Medical Card Generations System version 1.0 suffers from an ignored default credential vulnerability.

Emergency Ambulance Hiring Portal version 1.0 suffer from a WYSIWYG code injection vulnerability.

Printable Staff ID Card Creator System version 1.0 suffers from an insecure direct object reference vulnerability.