SB2017080305 - Two vulnerabilities in Cisco Unified Communications Manager

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017080305

SB2017080305 - Two vulnerabilities in Cisco Unified Communications Manager

Published: August 3, 2017

Security Bulletin ID SB2017080305
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2017-6758)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the web framework of Cisco Unified Communications Manager due to insufficient input validation. A remote attacker can use directory traversal techniques to read files in the web root directory structure on the Cisco Unified Communications Manager filesystem.

Successful exploitation of the vulnerability results in information disclosure.

2) SQL injection (CVE-ID: CVE-2017-6757)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in Cisco Unified Communications Manager due to improper validation of user-supplied input. A remote attacker can send specially crafted URLs containing SQL statements, bypass protection filters and modify or delete entries in some database tables.

Remediation

Install update from vendor's website.

References