Cisco Unified Communications Manager Input Validation Flaw Lets Remote Authenticated Users Inject SQL Commands
|
SecurityTracker Alert ID: 1040341 |
SecurityTracker URL: http://securitytracker.com/id/1040341
|
CVE Reference:
CVE-2018-0120
(Links to External Site)
|
Date: Feb 7 2018
|
Impact:
Disclosure of system information, Disclosure of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in Cisco Unified Communications Manager. A remote authenticated user can inject SQL commands.
The web framework does not properly validate user-supplied input. A remote authenticated user can supply a specially crafted parameter value to execute SQL commands on the underlying database. This can be exploited to determine the presence of certain values in the database.
The vendor has assigned bug ID CSCvg74810 to this vulnerability.
|
Impact:
A remote authenticated user can execute SQL commands on the underlying database.
|
Solution:
No solution was available at the time of this entry.
The vendor advisory is available at:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-cucm
|
Vendor URL: tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-cucm (Links to External Site)
|
Cause:
Input validation error
|
|
Message History:
None.
|
Source Message Contents
|
Subject: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-cucm
|
|
|