Vulnslist

find the latest Cisco vulnerabilities

Cisco Unified MeetingPlace SQL Injection Vulnerability

Cisco-SA-20120510-CVE-2012-0337 · Medium · Published · Updated

Cisco Unified MeetingPlace contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary SQL code on a targeted system. The vulnerability is due to improper validation of user-supplied input to the web-based application interface. An authenticated, remote attacker could exploit this vulnerability by sending malicious requests to the system. If successful, the attacker could execute arbitrary SQL code against the database underlying the affected application. Cisco has confirmed this vulnerability in a bug report and has released updated software. To exploit this vulnerability, the attacker would need to authenticate to the targeted device. To achieve this objective, the attacker may need access to trusted, internal network resources. This access requirement reduces the exposure of this vulnerability.

Cisco advisory ·CSAF JSON

Workarounds

Administrators are advised to apply the appropriate updates.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators are advised to monitor affected systems.

CVEsCVE-2012-0337
Cisco Bug IDsCSCtx08939
CVSS ScoreBase 8.5
Base 8.5 AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:OF/RC:C
Product Names From Source
Cisco Unified MeetingPlace Web Conferencing

Related Products

Product CVE Evidence
Cisco Unified MeetingPlace CVE-2012-0337 Cisco OpenVuln
Cisco Unified MeetingPlace Web Conferencing CVE-2012-0337 Cisco OpenVuln