SQLi in Cisco Unified CM Web UI Authenticated Remote Attack
CVE-2023-20010 Published on January 20, 2023

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to read or modify any data on the underlying database or elevate their privileges.

NVD

Vulnerability Analysis

CVE-2023-20010 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

NONE

Weakness Type

What is a SQL Injection Vulnerability?

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

CVE-2023-20010 has been classified to as a SQL Injection vulnerability or weakness.

Products Associated with CVE-2023-20010

Want to know whenever a new CVE is published for Cisco Unified Communications Manager? stack.watch will email you.

Cisco Unified Communications Manager

Affected Versions

Cisco Unified Communications Manager:

Version 12.0(1)SU1 is affected.
Version 12.0(1)SU2 is affected.
Version 12.0(1)SU3 is affected.
Version 12.0(1)SU4 is affected.
Version 12.0(1)SU5 is affected.
Version 12.5(1) is affected.
Version 12.5(1)SU1 is affected.
Version 12.5(1)SU2 is affected.
Version 12.5(1)SU3 is affected.
Version 12.5(1)SU4 is affected.
Version 12.5(1)SU5 is affected.
Version 12.5(1)SU6 is affected.
Version 14 is affected.
Version 14SU1 is affected.
Version 14SU2 is affected.

Exploit Probability

EPSS

0.65%

Percentile

70.51%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.