SQL injection in Unified Communications Manager (CallManager) - CVE-2017-6757
Published: August 3, 2017
Vulnerability identifier: #VU7674
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-6757
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Unified Communications Manager (CallManager)
Unified Communications Manager (CallManager)
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in Cisco Unified Communications Manager due to improper validation of user-supplied input. A remote attacker can send specially crafted URLs containing SQL statements, bypass protection filters and modify or delete entries in some database tables.
The weakness exists in Cisco Unified Communications Manager due to improper validation of user-supplied input. A remote attacker can send specially crafted URLs containing SQL statements, bypass protection filters and modify or delete entries in some database tables.
How to mitigate CVE-2017-6757
The vulnerability is addressed in the following versions: UCMAP.12.0(0.98000.338), UCMAP.11.6(2.10000.4), CUP.12.0(0.98000.1000), CUP.11.5(1.13900.35), CUC.12.0(0.97000.263.), CCM.12.0(0.98000.765), CCM.11.5(1.13900.35), CCM.11.5(1.13053.1), CCM.11.0(1.24076.1), CCM.10.5(2.16128.1).