CVE-2023-20211 is a vulnerability in Cisco Unified Communications Manager
Published on August 16, 2023
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by authenticating to the application as a user with read-only or higher privileges and sending crafted HTTP requests to an affected system. A successful exploit could allow the attacker to read or modify data in the underlying database or elevate their privileges.
Vulnerability Analysis
CVE-2023-20211 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
What is a SQL Injection Vulnerability?
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CVE-2023-20211 has been classified to as a SQL Injection vulnerability or weakness.
Products Associated with CVE-2023-20211
You can be notified by stack.watch whenever vulnerabilities like CVE-2023-20211 are published in these products:
What versions of Unified Communications Manager are vulnerable to CVE-2023-20211?
-
Cisco Unified Communications Manager
Version 14.0
-
Cisco Unified Communications Manager
Version 14.0
-
Cisco Unified Communications Manager
Version 12.5\(1\)
Fixed in Version 12.5\(1\)sub
-
Cisco Unified Communications Manager
Version 12.5\(1\)
Fixed in Version 12.5\(1\)sub