A vulnerability in the web-based management interface of both Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) has been identified.
Cisco Unified CM is primarily used for managing voice and video calls, while Cisco Unified CM SME handles session routing intelligence. This vulnerability allows a remote attacker who is authenticated to execute SQL injection attacks on affected systems. Cisco has responded by releasing software updates to address this issue.
CVE-2023-20211: SQL Injection Vulnerability This vulnerability stems from inadequate validation of user-supplied input. An attacker can gain authentication as a read-only user within the application and exploit this vulnerability by sending carefully crafted HTTP requests to a vulnerable system. A successful exploitation could result in unauthorized access to or modification of system data, as well as privilege escalation. The CVSS score for this vulnerability is rated at 8.1 (High).
Affected Products The following products are impacted by this vulnerability: Cisco Unified CM and Cisco Unified CM SME. Cisco has also confirmed that the following products are not affected:
- Emergency Responder
- Finesse
- Hosted Collaboration Mediation Fulfillment (HCM-F)
- Packaged Contact Center Enterprise (Packaged CCE)
- Prime Collaboration Deployment
- Prime License Manager (PLM)
- SocialMiner
- Unified Communications Manager IM & Presence Service (Unified CM IM&P)
- Unified Contact Center Domain Manager (Unified CCDM)
- Unified Contact Center Express (Unified CCX)
- Unified Contact Center Management Portal (Unified CCMP)
- Unified Intelligence Center
- Unity Connection
- Virtualized Voice Browser
Fix Available In Cisco Unified CM and Unified CM SME Release | First Fixed Release 11.5(1) | Migrate to a fixed release. 12.5(1) | 12.5(1)SU8 14 | Apply patch file ciscocm.V14SU3_CSCwe89928_sql-injection_C0194-1.cop.sha512.
Users of these affected products are strongly advised to upgrade to the latest versions to mitigate the risk of exploitation by malicious actors.