Cisco fixed a high-severity SQL injection flaw, tracked as CVE-2023-20010 (CVSS score of 8.1), in Unified Communications Manager and Unified Communications Manager Session Management Edition.
Unified Communications Manager solutions provide reliable, secure, scalable, and manageable call control and session management. Cisco Unified (CM) supports industry standards, a wide range of gateways, and a broad ecosystem of third-party integrations and solutions plus partners.
The vulnerability CVE-2023-20010 resides in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME), an authenticated, remote attacker can trigger it to conduct SQL injection attacks on a vulnerable system.
“This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system.” reads the advisory published by the IT giant. “A successful exploit could allow the attacker to read or modify any data on the underlying database or elevate their privileges.”
The flaw impacts Cisco Unified CM and Unified CM SME versions 11.5(1), 12.5(1), and 14. The company advises customers to upgrade to an appropriate fixed software release as reported in the following table:
| Cisco Unified CM and Unified CM SME Release | First Fixed Release |
|---|---|
| 11.5(1) | Migrate to a fixed release. |
| 12.5(1) | 12.5(1)SU7 |
| 14 | 14SU3 (Mar 2023) |
The company states that are no workarounds to address this vulnerability.
The flaw was discovered by Jason Crowder of the Cisco Advanced Security Initiatives Group (ASIG) and Skay@360 Noah-Lab.
The Cisco PSIRT is not aware of attacks in the wild exploiting this vulnerability.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, CVE-2023-20010)
[adrotate banner=”5″]
[adrotate banner=”13″]
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all…
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
This website uses cookies.