CVE-2018-0124
https://notcve.org/view.php?id=CVE-2018-0124
A vulnerability in Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to bypass security protections, gain elevated privileges, and execute arbitrary code. The vulnerability is due to insecure key generation during application configuration. An attacker could exploit this vulnerability by using a known insecure key value to bypass security protections by sending arbitrary requests using the insecure key to a targeted application. An exploit could allow the attacker to execute arbitrary code. This vulnerability affects Cisco Unified Communications Domain Manager releases prior to 11.5(2). • http://www.securityfocus.com/bid/103114 http://www.securitytracker.com/id/1040405 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-ucdm • CWE-320: Key Management Errors •
CVE-2017-12302
https://notcve.org/view.php?id=CVE-2017-12302
A vulnerability in the Cisco Unified Communications Manager SQL database interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries, aka SQL Injection. The vulnerability is due to a lack of input validation on user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected system. An exploit could allow the attacker to determine the presence of certain values in the database. Cisco Bug IDs: CSCvf36682. • http://www.securityfocus.com/bid/101853 http://www.securitytracker.com/id/1039826 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-ucm • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2015-6352
https://notcve.org/view.php?id=CVE-2015-6352
Cisco Unified Communications Domain Manager before 10.6(1) provides different error messages for pathname access attempts depending on whether the pathname exists, which allows remote attackers to map a filesystem via a series of requests, aka Bug ID CSCut67891. Cisco Unified Communications Domain Manager en versiones anteriores a 10.6(1) proporciona diferentes mensajes de error para intentos de acceso al nombre de ruta dependiendo de si el nombre de ruta existe, lo que permite a atacantes remotos mapear un sistema de archivos a través de una serie de peticiones, tambien conocida como Bug ID CSCut67891. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151027-ucd http://www.securityfocus.com/bid/77341 http://www.securitytracker.com/id/1034022 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •