Cisco Bug: CSCvf07617 - Cisco Smart Net Total Care Portal: SQL Injection Vulnerability in Contracts Details page
Aug 16, 2019
- Network Level Service
Known Affected Releases
Symptom: A vulnerability in the Cisco Smart Net Total Care (SNTC) portal could allow an authenticated, remote attacker to perform a read-only, blind SQL injection attack, which could allow the attacker to compromise the confidentiality of the system through SQL timing attacks. The vulnerability is due to insufficient input validation of certain user-supplied fields that are subsequently used to build SQL queries. The issue has been resolved in SNTC 3.11 release. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc Conditions: This was already addressed in the SNTC portal software version 3.11 released on Jul 7th 2017.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases