| Vulnerability Name: | CVE-2017-3886 (CCN-124200) | ||||||||||||
| Assigned: | 2016-12-21 | ||||||||||||
| Published: | 2017-04-05 | ||||||||||||
| Updated: | 2017-07-12 | ||||||||||||
| Summary: | A vulnerability in the Cisco Unified Communications Manager web interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries, aka SQL Injection. The attacker must be authenticated as an administrative user to execute SQL database queries. More Information: CSCvc74291. Known Affected Releases: 1.0(1.10000.10) 11.5(1.10000.6). Known Fixed Releases: 12.0(0.98000.619) 12.0(0.98000.485) 12.0(0.98000.212) 11.5(1.13035.1) 11.0(1.23900.5) 11.0(1.23900.2) 11.0(1.23067.1) 10.5(2.15900.2). | ||||||||||||
| CVSS v3 Severity: | 4.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) 4.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C)
4.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-89 | ||||||||||||
| Vulnerability Consequences: | Data Manipulation | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2017-3886 Source: BID Type: Third Party Advisory, VDB Entry 97432 Source: CCN Type: BID-97432 Cisco Unified Communications Manager CVE-2017-3886 SQL Injection Vulnerability Source: SECTRACK Type: UNKNOWN 1038192 Source: XF Type: UNKNOWN cisco-cve20173886-sql-injection(124200) Source: CCN Type: Cisco Security Advisory cisco-sa-20170405-ucm Cisco Unified Communications Manager SQL Injection Vulnerability Source: CONFIRM Type: Vendor Advisory https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-ucm | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||