An attacker can brute-force lead_id values and send a crafted request to agc vicidial.php with function=DISPO and dispo=BADNUMBER , corrupting call results and reporting.
enters a listening state. It waits for the database to signal that a lead has been dialed and bridged. When that happens, the screen transforms, instantly populating with the customer's data—name, address, and history—fetched from the vicidial_users and lead tables The Three-Way Dance agc vicidial.php
Are you experiencing a on the screen?
If you must change vicidial.php , copy it to vicidial_custom.php and point your agents to the new URL. This prevents your customizations from being overwritten during the next system upgrade ( svn up ). An attacker can brute-force lead_id values and send