// For flags

CVE-2023-20010

 

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.
This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to read or modify any data on the underlying database or elevate their privileges.

Una vulnerabilidad en la interfaz de administración basada en web de Cisco Unified Communications Manager (Unified CM) y Cisco Unified Communications Manager Session Management Edition (Unified CM SME) podría permitir que un atacante remoto autenticado realice ataques de inyección SQL en un sistema afectado. Esta vulnerabilidad existe porque la interfaz de administración basada en web no valida adecuadamente la entrada del usuario. Un atacante podría aprovechar esta vulnerabilidad autenticándose en la aplicación como un usuario con pocos privilegios y enviando consultas SQL manipuladas a un sistema afectado. Un exploit exitoso podría permitir al atacante leer o modificar cualquier dato en la base de datos subyacente o elevar sus privilegios.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-10-27 CVE Reserved
  • 2023-01-19 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-08-11 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Unified Communications Manager
Search vendor "Cisco" for product "Unified Communications Manager"
< 12.5\(1\)su7
Search vendor "Cisco" for product "Unified Communications Manager" and version " < 12.5\(1\)su7"
session_management
Affected
Cisco
Search vendor "Cisco"
Unified Communications Manager
Search vendor "Cisco" for product "Unified Communications Manager"
>= 11.5\(1\) < 12.5\(1\)su7
Search vendor "Cisco" for product "Unified Communications Manager" and version " >= 11.5\(1\) < 12.5\(1\)su7"
-
Affected
Cisco
Search vendor "Cisco"
Unified Communications Manager
Search vendor "Cisco" for product "Unified Communications Manager"
>= 14.0 < 14su2
Search vendor "Cisco" for product "Unified Communications Manager" and version " >= 14.0 < 14su2"
-
Affected
Cisco
Search vendor "Cisco"
Unified Communications Manager
Search vendor "Cisco" for product "Unified Communications Manager"
>= 14.0 < 14su2
Search vendor "Cisco" for product "Unified Communications Manager" and version " >= 14.0 < 14su2"
session_management
Affected