CVE-2022-34879: vicidial.org • View topic - Recommended VICIdial Security Upgrade Notice: April 2022

Please read this carefully as it contains important information regarding the security of your VICIdial system.

Due to the recent discovery of several new security risks in the admin and agent web interface code, we have rolled out an update to the VICIdial code-base. These vulnerabilities have been patched and we have added additional code that further secures the web-facing portions of VICIdial. Any system that is at SVN revision 3583 or greater already has these changes(March 7, 2022). If your system is below that version, we strongly recommend that you upgrade VICIdial to address these concerns.

Instructions for how to connect to our public SVN server to get the latest code are available here:

http://wiki.vicidial.org/doku.php?id=svn

You can also find recent snapshots of the svn code available here:

https://www.vicidial.org/svn_trunk_nightly/

If you have a VICIhost account with us, know that we have already upgraded all servers and there is nothing that needs to be done on your end.

This Upgrade Notice covers several separate CVEs that have been submitted by several different people and organizations over the last few months, and those CVEs will be published in the near future by the people and organizations that reported them. All of these vulnerabilities involve PHP specifically, most of them require authenticated user access to your VICIdial system to exploit. Most of these exploits involved incomplete PHP input variable filtering. As a result of these reports, we spent several weeks reviewing every PHP script in the VICIdial codebase for input variables and filtering. We also made some security changes to make the system more secure by default.

If you have any questions about this notice, please contact us or reply to this post.