// For flags

CVE-2019-1825

Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL Injection Vulnerabilities

Severity Score

8.1
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary SQL queries. This vulnerability exist because the software improperly validates user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains malicious SQL statements to the affected application. A successful exploit could allow the attacker to view or modify entries in some database tables, affecting the integrity of the data.

Una vulnerabilidad en la web-based management interface de Prime Infrastructure (PI) y Evolved Programmable Network (EPN) Manager de Cisco podría permitir que un atacante remoto autenticado ejecutara consultas SQL arbitrarias. Esta vulnerabilidad existe porque el programa verifica incorrectamente la entrada proporcionada por el usuario en las consultas SQL. Un atacante podría aprovechar esta vulnerabilidad enviando una solicitud HTTP diseñada que contenga sentencias SQL maliciosas a la aplicación afectada. Un aprovechamiento exitoso podría permitir al atacante ver o modificar entradas en algunas tablas de la base de datos, afectando la integridad de los datos.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2018-12-06 CVE Reserved
  • 2019-05-16 CVE Published
  • 2023-06-24 EPSS Updated
  • 2024-11-20 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Evolved Programmable Network Manager
Search vendor "Cisco" for product "Evolved Programmable Network Manager"
< 3.0.1
Search vendor "Cisco" for product "Evolved Programmable Network Manager" and version " < 3.0.1"
-
Affected
Cisco
Search vendor "Cisco"
Network Level Service
Search vendor "Cisco" for product "Network Level Service"
3.0\(0.0.83b\)
Search vendor "Cisco" for product "Network Level Service" and version "3.0\(0.0.83b\)"
-
Affected
Cisco
Search vendor "Cisco"
Prime Infrastructure
Search vendor "Cisco" for product "Prime Infrastructure"
< 3.4.1
Search vendor "Cisco" for product "Prime Infrastructure" and version " < 3.4.1"
-
Affected