Guest

Preview Tool

Cisco Bug: CSCvf07617 - Cisco Smart Net Total Care Portal: SQL Injection Vulnerability in Contracts Details page

Last Modified

Mar 07, 2018

Products (1)

  • Network Level Service

Known Affected Releases

3.11

Description (partial)

Symptom:
A vulnerability in the Cisco Smart Net Total Care (SNTC) portal could allow an authenticated, remote attacker to perform a read-only, blind SQL injection attack, which could allow the attacker to compromise the confidentiality of the system through SQL timing attacks. The vulnerability is due to insufficient input validation of certain user-supplied fields that are subsequently used to build SQL queries. 

The issue has been resolved in SNTC 3.11 release.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc

Conditions:
This was already addressed in the SNTC portal software version 3.11 released on Jul 7th 2017.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.