Cisco Bug: CSCup74290 - SQL injection vulnerability
Jan 29, 2017
- Cisco Unified Communications Manager (CallManager)
Known Affected Releases
10.5(1.99994.1) 10.5(2.10000.4) 11.0(0.98100.17) 8.5(1.17130.1) 8.6(2.26145.1) 9.1(2.10000.28)
Symptom: A vulnerability in certain pages of the Administrative Web Interface of Cisco Unified Communications Manager (CUCM) and Cisco Unified Presence Server (CUPS) could allow an authenticated, remote attacker to preform a number of different SQL injection attacks. The vulnerability is due to insufficient sanitization of user supplied input before being utilized within a structured query language (SQL) statement by the application. An attacker could exploit this vulnerability by submitting a malicious request to an affected page designed to exploit the issue. Successful exploitation could allow the attacker to read or modify portions of the underlying database. Conditions: Device configured with default configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases