#VU804 SQL injection in Cisco Secure Firewall Management Center (formerly Firepower Management Center, FMC) - CVE-2016-6419
Published: September 28, 2016 / Updated: April 5, 2018
Vulnerability identifier: #VU804
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6419
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco Secure Firewall Management Center (formerly Firepower Management Center, FMC)
Cisco Secure Firewall Management Center (formerly Firepower Management Center, FMC)
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote authenticated user to perform SQL injection on the target system.
The weakness is caused by insufficient input validation. Attackers can send a specially crafted SQL request that causes modification of the SQL database used by the Firepower Management Center.
Successful exploiatation of the vulnerability results in SQL injection on the vulnerable system.
The weakness is caused by insufficient input validation. Attackers can send a specially crafted SQL request that causes modification of the SQL database used by the Firepower Management Center.
Successful exploiatation of the vulnerability results in SQL injection on the vulnerable system.
Remediation
Update to version 5.3.0.3;
Update to version 5.3.1.2;
Update to version 5.4.0.1;
Update to version 5.4.1;
Update to version 6.0.0.
Update to version 5.3.1.2;
Update to version 5.4.0.1;
Update to version 5.4.1;
Update to version 6.0.0.