Guest

Preview Tool

Cisco Bug: CSCuw24700 - Cisco ACS SQL Injection Vulnerability

Last Modified

Aug 19, 2016

Products (1)

  • Cisco Secure Access Control Server Solution Engine

Known Affected Releases

5.7(0.15)

Description (partial)

Symptom:
A vulnerability in the Cisco Secure Access Control Server (ACS) interface could allow an authenticated, 
remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries.

The vulnerability is due to a lack of input validation on user-supplied input within 
SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that 
contain malicious SQL statements to the affected system. An exploit could allow the 
attacker to determine the presence of certain values in the database.

Conditions:
Default configuration of system running affected version.

Conditions:
Default configuration of system running affected version.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.