Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco Prime Infrastructure and Evolved Programmable Network Manager Database Interface SQL Injection Vulnerability

cisco-sa-20161012-prime · Medium · Published · Updated

A vulnerability in the Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL database interface could allow an authenticated, remote attacker to impact system confidentiality by executing a subset of arbitrary SQL queries that can cause product instability. The vulnerability is due to a lack of input validation on user-supplied input within SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected system. An exploit could allow the attacker to determine the presence of certain values in the database. Repeated exploitation could result in a sustained denial of service (DoS) condition. Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-prime

Cisco advisory · CSAF JSON

Workarounds

For additional information about SQL injection attacks and defenses, see Understanding SQL Injection["http://www.cisco.com/web/about/security/intelligence/sql_injection.html"].

CVEsCVE-2016-6443
Cisco Bug IDsCSCva27038, CSCva28335
CVSS ScoreBase 6.5
Base 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:OF/RC:C
Product Names From Source
Cisco Prime Infrastructure, Cisco Evolved Programmable Network Manager (EPNM)

Related Products

Product CVE Evidence
Cisco Prime Infrastructure CVE-2016-6443 Cisco OpenVuln
Cisco Evolved Programmable Network Manager (EPNM) CVE-2016-6443 Cisco OpenVuln