Main Vulnerability Database Vulnerabilities #VU7163

SQL injection in Cisco Prime Infrastructure - CVE-2017-6698

Published: June 22, 2017

Vulnerability identifier: #VU7163

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-6698

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cisco Systems, Inc

Affected software:
Cisco Prime Infrastructure

Detailed vulnerability description

The vulnerability allows a remote authenticated attacker to execute arbitrary SQL queries in web application database.

The vulnerability exists in the SQL database interface due to a lack of proper validation on user-supplied input within SQL queries. A remote attacker can send a specially crafted URLs containing SQL statements and execute arbitrary SQL queries in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain complete control over affected website.

How to mitigate CVE-2017-6698

Install update from vendor's website.

Sources

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm2

SQL injection in Cisco Prime Infrastructure - CVE-2017-6698

Detailed vulnerability description

How to mitigate CVE-2017-6698

Sources

Please verify you're human