CVE-2019-12710

Description

A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an authenticated, remote attacker to impact the confidentiality of an affected system by executing arbitrary SQL queries. The vulnerability exists because the affected software improperly validates user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted requests that contain malicious SQL statements to the affected application. A successful exploit could allow the attacker to determine the presence of certain values in the database, impacting the confidentiality of the system.

Risk Information

Base Score

4.9

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS Score

Exploitation Probability

0.214

Associated Vulnerability

Vulnerability	OS Platform
Cisco Unified Communications Manager SQL Injection Vulnerability For Cisco Unified Communications Manager (CallManager)	NCM
Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability (CVE-2019-12710)	NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE

Patch ID	Patch Description
PATCH-1706016	Security Update for Cisco Unified Communications Manager (CallManager) CUP.11.5(1.12900.25)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234