id: CVE-2021-28854

info:
  name: VICIdial - Multiple sensitive Information disclosure
  author: pdteam
  severity: high
  description: VICIdial's Web Client contains many sensitive files that can be access from the client side. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP's, User-Agents, credentials and much more. This information can be leveraged by an attacker to gain further access to VICIdial systems. This vulnerability affects all versions as of 20/5/21
  reference: https://github.com/JHHAX/VICIdial
  tags: cve,cve2021

requests:
  - method: GET
    path:
      - "{{BaseURL}}/agc/vicidial_mysqli_errors.txt"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'text/plain'
        part: header

      - type: status
        status:
          - 200

      - type: word
        words:
          - 'vdc_db_query'
        part: body