Skip to main content

Unified Communications Domain Manager CVE-2017-12302

MEDIUM
SQL Injection (CWE-89)
2017-11-16 psirt@cisco.com
4.3
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 16, 2017 - 07:29 cve.org
MEDIUM 4.3

DescriptionCVE.org

A vulnerability in the Cisco Unified Communications Manager SQL database interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries, aka SQL Injection. The vulnerability is due to a lack of input validation on user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected system. An exploit could allow the attacker to determine the presence of certain values in the database. Cisco Bug IDs: CSCvf36682.

AnalysisAI

A vulnerability in the Cisco Unified Communications Manager SQL database interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. A vulnerability in the Cisco Unified Communications Manager SQL database interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries, aka SQL Injection. The vulnerability is due to a lack of input validation on user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected system. An exploit could allow the attacker to determine the presence of certain values in the database. Cisco Bug IDs: CSCvf36682. Affected products include: Cisco Unified Communications Domain Manager.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2014-3300 HIGH POC
7.5 Jul 07

The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM) in Unified CDM Application

CVE-2014-2198 CRITICAL
10.0 Jul 07

Cisco Unified Communications Domain Manager (CDM) in Unified CDM Platform Software before 4.4.2 has a hardcoded SSH priv

CVE-2018-0124 CRITICAL
9.8 Feb 22

A vulnerability in Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to bypass

CVE-2014-2197 CRITICAL
9.0 Jul 07

The Administration GUI in the web framework in Cisco Unified Communications Domain Manager (CDM) in Unified CDM Applicat

CVE-2018-0364 HIGH
8.8 Jun 21

A vulnerability in the web-based management interface of Cisco Unified Communications Domain Manager could allow an unau

CVE-2014-3337 MEDIUM
6.8 Aug 12

The SIP implementation in Cisco Unified Communications Manager (CM) 8.6(.2) and earlier allows remote authenticated user

CVE-2013-3418 MEDIUM
6.8 Jul 11

Cisco Unified Communications Domain Manager does not properly allocate memory for GET and POST requests, which allows re

CVE-2015-0588 MEDIUM
6.8 Jan 15

Cross-site request forgery (CSRF) vulnerability in Cisco Unified Communications Domain Manager (UCDM) 10 allows remote a

CVE-2015-0682 MEDIUM
6.5 Apr 03

Cisco Unified Communications Domain Manager 8.1(4) allows remote authenticated users to execute arbitrary code by visiti

CVE-2014-8010 MEDIUM
6.5 Dec 10

The web framework in Cisco Unified Communications Domain Manager 8 allows remote authenticated administrators to execute

CVE-2014-3339 MEDIUM
6.5 Aug 12

Multiple SQL injection vulnerabilities in the administrative web interface in Cisco Unified Communications Manager (CM)

CVE-2015-0684 MEDIUM
6.5 Apr 03

SQL injection vulnerability in the Image Management component in Cisco Unified Communications Domain Manager 8.1(4) allo

Share

CVE-2017-12302 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy