Cisco Unified CM SQLi via Authenticated Web UI
CVE-2023-20211 Published on August 16, 2023
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by authenticating to the application as a user with read-only or higher privileges and sending crafted HTTP requests to an affected system. A successful exploit could allow the attacker to read or modify data in the underlying database or elevate their privileges.
Vulnerability Analysis
CVE-2023-20211 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a SQL Injection Vulnerability?
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CVE-2023-20211 has been classified to as a SQL Injection vulnerability or weakness.
Products Associated with CVE-2023-20211
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-20211 are published in Cisco Unified Communications Manager:
Affected Versions
Cisco Unified Communications Manager:- Version 12.0(1)SU1 is affected.
- Version 12.0(1)SU2 is affected.
- Version 12.0(1)SU3 is affected.
- Version 12.0(1)SU4 is affected.
- Version 12.0(1)SU5 is affected.
- Version 12.5(1) is affected.
- Version 12.5(1)SU1 is affected.
- Version 12.5(1)SU2 is affected.
- Version 12.5(1)SU3 is affected.
- Version 12.5(1)SU4 is affected.
- Version 12.5(1)SU5 is affected.
- Version 12.5(1)SU6 is affected.
- Version 12.5(1)SU7 is affected.
- Version 12.5(1)SU7a is affected.
- Version 14 is affected.
- Version 14SU1 is affected.
- Version 14SU2 is affected.
- Version 14SU3 is affected.
- Version 10.5(2)SU10 is affected.
- Version 10.5(1) is affected.
- Version 10.5(1)SU1 is affected.
- Version 10.5(1)SU1a is affected.
- Version 10.5(2) is affected.
- Version 10.5(2)SU1 is affected.
- Version 10.5(2)SU2 is affected.
- Version 10.5(2)SU3 is affected.
- Version 10.5(2)SU4 is affected.
- Version 10.5(2)SU5 is affected.
- Version 10.5(2)SU6 is affected.
- Version 10.5(2)SU7 is affected.
- Version 10.5(2)SU8 is affected.
- Version 10.5(2)SU9 is affected.
- Version 10.5(2)SU2a is affected.
- Version 10.5(2)SU3a is affected.
- Version 10.5(2)SU4a is affected.
- Version 10.5(2)SU6a is affected.
- Version 11.0(1) is affected.
- Version 11.0(1a) is affected.
- Version 11.0(1a)SU1 is affected.
- Version 11.0(1a)SU2 is affected.
- Version 11.0(1a)SU3 is affected.
- Version 11.0(1a)SU3a is affected.
- Version 11.0(1a)SU4 is affected.
- Version 11.0.1 is affected.
- Version 11.0.2 is affected.
- Version 11.0.5 is affected.
- Version 11.5(1) is affected.
- Version 11.5(1)SU1 is affected.
- Version 11.5(1)SU2 is affected.
- Version 11.5(1)SU3 is affected.
- Version 11.5(1)SU3a is affected.
- Version 11.5(1)SU3b is affected.
- Version 11.5(1)SU4 is affected.
- Version 11.5(1)SU5 is affected.
- Version 11.5(1)SU6 is affected.
- Version 11.5(1)SU7 is affected.
- Version 11.5(1)SU8 is affected.
- Version 11.5(1)SU9 is affected.
- Version 11.5(1)SU10 is affected.
- Version 11.5(1)SU11 is affected.
- Version 10.0(1)SU2 is affected.
- Version 10.0(1) is affected.
- Version 10.0(1)SU1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.