CVE-2019-15972

A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based management interface improperly validates SQL values. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database.

Published: Nov 26, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-15972
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
cisco / unified_communications_manager	11.5(1.10000.6)	11.5(1.10000.6).x
cisco / unified_communications_manager	10.5(2.10000.5)	10.5(2.10000.5).x
cisco / unified_communications_manager	12.0(1.10000.10)	12.0(1.10000.10).x
cisco / unified_communications_manager	12.5(1.10000.22)	12.5(1.10000.22).x

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191120-cucm-sql

Vulnerability Database

289,599

CVE-2019-15972