Cisco fixes SQL Injection flaw in Unified CM

January 20, 2023  By Pierluigi Paganini


A high-severity flaw (CVE-2023-20010) was found in Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition.

Cisco fixed a high-severity SQL injection flaw, tracked as CVE-2023-20010 (CVSS score of 8.1), in Unified Communications Manager and Unified Communications Manager Session Management Edition.

Unified Communications Manager solutions provide reliable, secure, scalable, and manageable call control and session management. Cisco Unified (CM) supports industry standards, a wide range of gateways, and a broad ecosystem of third-party integrations and solutions plus partners. 

The vulnerability CVE-2023-20010 resides in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME), an authenticated, remote attacker can trigger it to conduct SQL injection attacks on a vulnerable system.

“This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system.” reads the advisory published by the IT giant. “A successful exploit could allow the attacker to read or modify any data on the underlying database or elevate their privileges.”

The flaw impacts Cisco Unified CM and Unified CM SME versions 11.5(1), 12.5(1), and 14. The company advises customers to upgrade to an appropriate fixed software release as reported in the following table:

Cisco Unified CM and Unified CM SME ReleaseFirst Fixed Release
11.5(1)Migrate to a fixed release.
12.5(1)12.5(1)SU7
1414SU3 (Mar 2023)

The company states that are no workarounds to address this vulnerability.

The flaw was discovered by Jason Crowder of the Cisco Advanced Security Initiatives Group (ASIG) and [email protected] Noah-Lab.

The Cisco PSIRT is not aware of attacks in the wild exploiting this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2023-20010)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Experts released PoC exploit for critical Zoho ManageEngine RCE flaw

 Researchers released Proof-of-concept exploit code for remote code execution flaw CVE-2022-47966 impacting multiple Zoho...