Vulnerability Name:

CVE-2008-0026 (CCN-40484)

Assigned:2007-12-17
Published:2008-02-13
Updated:2017-08-08
Summary:SQL injection vulnerability in Cisco Unified CallManager/Communications Manager (CUCM) 5.0/5.1 before 5.1(3a) and 6.0/6.1 before 6.1(1a) allows remote authenticated users to execute arbitrary SQL commands via the key parameter to the (1) admin and (2) user interface pages.
CVSS v3 Severity:3.5 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
5.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-89
Vulnerability Consequences:Data Manipulation
References:Source: MITRE
Type: CNA
CVE-2008-0026

Source: CCN
Type: SA28932
Cisco Unified Communications Manager "key" SQL Injection

Source: SECUNIA
Type: Vendor Advisory
28932

Source: CCN
Type: SECTRACK ID: 1019404
Cisco Unified Communications Manager Input Validation Flaw Lets Remote Authenticated Users Inject SQL Commands

Source: CISCO
Type: UNKNOWN
20080213 SQL injection in Cisco Unified Communications Manager

Source: CCN
Type: cisco-sa-20080213-cucmsql
Cisco Security Advisory: SQL injection in Cisco Unified Communications Manager

Source: CCN
Type: OSVDB ID: 41561
Cisco Unified Callmanager / Communications Manager Multiple Page key Parameter SQL Injection

Source: CCN
Type: Portcullis Security Advisory 07_016
Multiple SQL Injections In Cisco Call Manager User And Admin Interface

Source: BID
Type: UNKNOWN
27775

Source: CCN
Type: BID-27775
Cisco Unified Communications Manager 'key' Parameter SQL Injection Vulnerability

Source: CCN
Type: BID-28690
Cisco Unified Communication Manager Multiple Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1019404

Source: VUPEN
Type: Vendor Advisory
ADV-2008-0542

Source: XF
Type: UNKNOWN
cucm-interface-sql-injection(40484)

Source: XF
Type: UNKNOWN
cucm-interface-sql-injection(40484)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:cisco:unified_callmanager:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.0(1):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.0(2):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.0(3):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.0(3a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.0(4):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.0_4a:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.0_1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.0_2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.0_3:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.0_3a:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.0_4:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.0_4a:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.0_4a_su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.0_1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:cisco:unified_callmanager:5.0(1):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.0(2):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.0(3):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.0(3a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.0(4):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:5.0(4a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_callmanager:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.0(1):*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    cisco unified callmanager 5.0
    cisco unified callmanager 5.0(1)
    cisco unified callmanager 5.0(2)
    cisco unified callmanager 5.0(3)
    cisco unified callmanager 5.0(3a)
    cisco unified callmanager 5.0(4)
    cisco unified callmanager 5.0_4a
    cisco unified callmanager 5.1
    cisco unified callmanager 6.0
    cisco unified communications manager 5.0
    cisco unified communications manager 5.0_1
    cisco unified communications manager 5.0_2
    cisco unified communications manager 5.0_3
    cisco unified communications manager 5.0_3a
    cisco unified communications manager 5.0_4
    cisco unified communications manager 5.0_4a
    cisco unified communications manager 5.0_4a_su1
    cisco unified communications manager 6.0
    cisco unified communications manager 6.0_1
    cisco unified communications manager 6.1
    cisco unified callmanager 5.0(1)
    cisco unified callmanager 5.0(2)
    cisco unified callmanager 5.0(3)
    cisco unified callmanager 5.0(3a)
    cisco unified callmanager 5.0
    cisco unified callmanager 5.1
    cisco unified communications manager 5.0
    cisco unified callmanager 5.0(4)
    cisco unified communications manager 6.0
    cisco unified communications manager 6.1
    cisco unified callmanager 5.0(4a)
    cisco unified callmanager 6.0
    cisco unified communications manager 6.0(1)