SQL injection in Cisco Smart Net Total Care

Published: 2017-08-03 14:10:33
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2017-6754
CVSSv3 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-89
Exploitation vector Network
Public exploit Not available
Vulnerable software Cisco Smart Net Total Care
Vulnerable software versions Cisco Smart Net Total Care 3.11
Vendor URL Cisco Systems, Inc

Security Advisory

1) SQL injection

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the web-based management interface of the Cisco Smart Net Total Care (SNTC) Software Collector Appliance due to improper validation of certain user-supplied fields that are subsequently used by the affected software to build SQL queries. A remote attacker can send specially crafted URLs dand determine the presence of values in the SQL database.

Remediation

Install update from vendor's website.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc

Back to List