Description
SQL injection vulnerability in Cisco Unified CallManager/Communications Manager (CUCM) 5.0/5.1 before 5.1(3a) and 6.0/6.1 before 6.1(1a) allows remote authenticated users to execute arbitrary SQL commands via the key parameter to the (1) admin and (2) user interface pages.
Affected products
- Cisco / unified_callmanager5.0 – 5.0
- Cisco / unified_callmanager5.0(1) – 5.0(1)
- Cisco / unified_callmanager5.0(2) – 5.0(2)
- Cisco / unified_callmanager5.0(3) – 5.0(3)
- Cisco / unified_callmanager5.0(3a) – 5.0(3a)
- Cisco / unified_callmanager5.0(4) – 5.0(4)
- Cisco / unified_callmanager5.0_4a – 5.0_4a
- Cisco / unified_callmanager5.1 – 5.1
- Cisco / unified_callmanager6.0 – 6.0
- Cisco / unified_communications_manager5.0 – 5.0
- Cisco / unified_communications_manager5.0_1 – 5.0_1
- Cisco / unified_communications_manager5.0_2 – 5.0_2
- Cisco / unified_communications_manager5.0_3 – 5.0_3
- Cisco / unified_communications_manager5.0_3a – 5.0_3a
- Cisco / unified_communications_manager5.0_4 – 5.0_4
- Cisco / unified_communications_manager5.0_4a – 5.0_4a
- Cisco / unified_communications_manager5.0_4a_su1 – 5.0_4a_su1
- Cisco / unified_communications_manager6.0 – 6.0
- Cisco / unified_communications_manager6.0_1 – 6.0_1
- Cisco / unified_communications_manager6.1 – 6.1
References
- MISChttp://www.securityfocus.com/bid/27775
- VENDOR_ADVISORYhttp://secunia.com/advisories/28932
- MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/40484
- VENDOR_ADVISORYhttp://www.cisco.com/en/US/products/products_security_advisory09186a0080949c7c.shtml
- MISChttp://www.securitytracker.com/id?1019404
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2008/0542