Advisory ID: cisco-sa-20171115-ucm CVE ID: CVE-2017-12302 CWE ID: CWE-89 CVSS Score: Base 4.3 Severity: Medium First Published: 2017 November 15 16:00 GMT Summary A vulnerability in the Cisco Unified Communications Manager SQL database interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries. The vulnerability is due to a lack of input validation on user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected system. An exploit could allow the attacker to determine the presence of certain values in the database. Affected Products This vulnerability affects Cisco Unified Communications Manager. No other Cisco products are currently known to be affected by this vulnerability. Details Additional information about SQL injection is available at: https://www.owasp.org/index.php/SQL_Injection Workarounds There are no workarounds that address this vulnerability. Fixed Software For information about fixed software releases, consult the Cisco bug ID(s) at the top of this advisory: Cisco Bug IDs: CSCvf36682 Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source This vulnerability was found during internal security testing. URL https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-ucm