Guest

Preview Tool

Cisco Bug: CSCup74290 - SQL injection vulnerability

Last Modified

Jan 29, 2017

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

10.5(1.99994.1) 10.5(2.10000.4) 11.0(0.98100.17) 8.5(1.17130.1) 8.6(2.26145.1) 9.1(2.10000.28)

Description (partial)

Symptom:
A vulnerability in certain pages of the Administrative Web Interface of Cisco Unified Communications Manager (CUCM) and Cisco Unified Presence
Server (CUPS) could allow an authenticated, remote attacker to preform a number of different SQL injection attacks.

The vulnerability is due to insufficient sanitization of user supplied input before being utilized within a structured query language (SQL)
statement by the application.  An attacker could exploit this vulnerability by submitting a malicious request to an affected page designed to
exploit the issue.  Successful exploitation could allow the attacker to read or modify portions of the underlying database.

Conditions:
Device configured with default configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.