Lucene search
Sven TauteZDI-11-143HistoryApr 28, 2011 - 12:00 a.m.
Cisco Unified CallManager xmldirectorylist.jsp SQL Injection Vulnerability
2011-04-2800:00:00
Sven Taute
www.zerodayinitiative.com
61
0.93 High
EPSS
Percentile
99.1%
This vulnerability allows remote attackers to inject arbitrary SQL into the backend database on vulnerable installations of Cisco Unified CM. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Call Manager component. The system exposes an Apache webserver which contains a JSP script vulnerable to SQL injection. The xmldirectorylist.jsp file does not properly validate the f, l, and n parameters before passing them to the database. A remote attacker can abuse this to inject SQL statements to be evaluated by the underlying database.
Related
cve
cve
CVE-2011-1610
2011-05-03 22:55:02
securityvulns
securityvulns
cisco
cisco
Cisco Unified Communications Manager Potential SQL Injection Vulnerability
2011-04-27 15:10:54
cvelist
cvelist
CVE-2011-1610
2011-05-03 22:00:00
checkpoint_advisories
checkpoint_advisories
Cisco Unified Communications Manager Multiple SQL Injections (CVE-2011-1610)
2011-07-19 00:00:00
prion
prion
Sql injection
2011-05-03 22:55:00
nvd
nvd
CVE-2011-1610
2011-05-03 22:55:02
packetstorm
packetstorm
Cisco SQL Injection
2011-05-03 00:00:00