An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
[
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "VICIdial",
"vendor": "VICIdial",
"versions": [
{
"status": "affected",
"version": "2.14-917a"
}
]
}
]