Cisco Unified Communications Manager Java Interface SQL Injection Vulnerability

A
vulnerability in the Java database interface of Cisco Unified Communications
Manager (Cisco Unified CM) could allow an unauthenticated, remote attacker to
impact the integrity of the system by executing arbitrary SQL queries.

The vulnerability is due to a failure to validate user-supplied input
used in SQL queries. An attacker could exploit this vulnerability by
sending crafted URLs that include SQL statements. An exploit could allow
the attacker to determine the presence of certain values in the
database.

Cisco has confirmed the vulnerability in a security notice and released software updates.

Although Cisco indicates through the CVSS score that software updates are not available, software updates are available for Cisco bug ID CSCum05313. For Cisco bug IDs CSCup23440, CSCup23461, and CSCup23465, software updates are not available.