Guest

Preview Tool

Cisco Bug: CSCut21563 - SQL Injection vulnerability in the ccmivr Web application

Last Modified

Feb 03, 2017

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

10.5(1.98991.13)

Description (partial)

Symptom:
A vulnerability in in the Cisco Unified Communications Manager (UCM) Interactive Voice Response (IVR) interface could allow
an unauthenticated, remote attacker to impact the  confidentiality of the system by executing arbitrary SQL queries.

The vulnerability is due to a lack of input validation on user-supplied input within SQL queries. An attacker could exploit this vulnerability by
sending crafted URLs that contain malicious SQL statements to the affected system. An exploit could allow the attacker to determine the presence
of certain values in the database.

Conditions:
Default configuration of system running affected version.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.