SQL injection in Cisco Prime Collaboration Provisioning

Published: 2017-11-02 10:26:00
Severity Low
Patch available YES
Number of vulnerabilities 1
CVSSv2 4.8 (AV:N/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
CVSSv3 5.4 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE ID CVE-2017-12276
CWE ID CWE-89
Exploitation vector Network
Public exploit Not available
Vulnerable software Cisco Prime Collaboration Provisioning
Vulnerable software versions Cisco Prime Collaboration Provisioning 11.5(0)
Cisco Prime Collaboration Provisioning 12.1
Cisco Prime Collaboration Provisioning 11.0(0.621)
Show more
Vendor URL Cisco Systems, Inc
Advisory type Public

Security Advisory

1) SQL injection

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists in the web framework code for the SQL database interface of the Cisco Prime Collaboration Provisioning application due to insufficient sanitization of user-supplied data. A remote attacker can supply a specially crafted parameter value to execute SQL commands on the underlying database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.

Remediation

Install update from vendor's website.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-cpcp

Back to List