这个网页截图提供了一封电子邮件的内容,涉及VICIDIAL 2.7软件的安全漏洞问题。以下是关键信息的简洁总结: Vulnerability Details: - Type: Authenticated SQL Injection, Authenticated Command Injection - Affected Software: VICIDIAL 2.7 - Vendor: The Vicidial Group Source Code Link: http://sourceforge.net/projects/astguiclient/files/astguiclient_2.7rc1.zip/download Affected Versions: - 2.7RC1 - 2.7 - 2.8-403a (and likely other versions) Specific Issues in Code: - SQL Injection Vulnerability: Present in at line 285 where parameters are passed without validation or escaping. - Command Injection Vulnerability: Present in at line 429 due to unfiltered command arguments. Additional Security Concerns: - Two accounts with hard-coded passwords ( , ) can be used to bypass authentication and exploit the software. - SQL injection can help bypass another check, leading to command injection. Current Status: - The vendor confirmed the issue on June 3rd but updates or advisories for OSS users have not been released at the time of the email. This information highlights the need for urgent patches and the potential risks faced by users of the VICIDIAL software.