Details of VAR-201304-0288

ID

VAR-201304-0288

CVE

CVE-2013-1177

TITLE

Cisco Network Admission Control Manager In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2013-002414

DESCRIPTION

SQL injection vulnerability in Cisco Network Admission Control (NAC) Manager before 4.8.3.1 and 4.9.x before 4.9.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCub23095. Vendors have confirmed this vulnerability Bug ID CSCub23095 It is released as.By any third party SQL The command may be executed. Authentication is not required to exploit this vulnerability.The specific flaw is in the handling of sortColumn URL parameters when constructing SQL database queries. By specially crafting URL parameters, it is possible to influence the SQL queries to gain remote code execution on the affected system. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database and execute arbitrary code. This issue is tracked by Cisco BugID CSCub23095

Trust: 3.24

sources: NVD: CVE-2013-1177 // JVNDB: JVNDB-2013-002414 // ZDI: ZDI-13-067 // ZDI: ZDI-13-066 // BID: 59271 // VULHUB: VHN-61179

AFFECTED PRODUCTS

vendor:	cisco	model:	network admission control manager and server system software	scope:	eq	version:	4.8.2	Trust: 1.6
vendor:	cisco	model:	network admission control manager and server system software	scope:	eq	version:	4.8.0	Trust: 1.6
vendor:	cisco	model:	network admission control manager and server system software	scope:	eq	version:	4.8.1	Trust: 1.6
vendor:	cisco	model:	network admission control manager and server system software	scope:	eq	version:	4.9.1	Trust: 1.6
vendor:	cisco	model:	network admission control manager and server system software	scope:	eq	version:	4.9.0	Trust: 1.6
vendor:	cisco	model:	clean access manager	scope:	-	version:	-	Trust: 1.4
vendor:	cisco	model:	network admission control manager and server system software	scope:	lte	version:	4.8.3	Trust: 1.0
vendor:	cisco	model:	network admission control manager	scope:	eq	version:	4.9.2	Trust: 0.8
vendor:	cisco	model:	network admission control manager	scope:	lt	version:	4.9.x	Trust: 0.8
vendor:	cisco	model:	network admission control manager and server system software	scope:	eq	version:	4.8.3	Trust: 0.6
vendor:	cisco	model:	network admission control	scope:	eq	version:	4.9	Trust: 0.3
vendor:	cisco	model:	network admission control	scope:	eq	version:	4.8.2	Trust: 0.3
vendor:	cisco	model:	network admission control	scope:	eq	version:	4.8.1	Trust: 0.3
vendor:	cisco	model:	network admission control	scope:	eq	version:	4.8.0	Trust: 0.3

sources: ZDI: ZDI-13-067 // ZDI: ZDI-13-066 // BID: 59271 // JVNDB: JVNDB-2013-002414 // CNNVD: CNNVD-201304-419 // NVD: CVE-2013-1177

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2013-1177
value:	HIGH
Trust: 1.4
nvd@nist.gov:	CVE-2013-1177
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-1177
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201304-419
value:	HIGH
Trust: 0.6
VULHUB:	VHN-61179
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-1177
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
ZDI:	CVE-2013-1177
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.4
VULHUB:	VHN-61179
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: ZDI: ZDI-13-067 // ZDI: ZDI-13-066 // VULHUB: VHN-61179 // JVNDB: JVNDB-2013-002414 // CNNVD: CNNVD-201304-419 // NVD: CVE-2013-1177

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-61179 // JVNDB: JVNDB-2013-002414 // NVD: CVE-2013-1177

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201304-419

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201304-419

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-002414

PATCH

title:	cisco-sa-20130417-nac	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130417-nac	Trust: 2.2
title:	28928	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=28928	Trust: 0.8
title:	cisco-sa-20130417-nac	url:	http://www.cisco.com/cisco/web/support/JP/111/1117/1117759_cisco-sa-20130417-nac-j.html	Trust: 0.8

sources: ZDI: ZDI-13-067 // ZDI: ZDI-13-066 // JVNDB: JVNDB-2013-002414

EXTERNAL IDS

db:	NVD	id:	CVE-2013-1177	Trust: 4.2
db:	JVNDB	id:	JVNDB-2013-002414	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-1535	Trust: 0.7
db:	ZDI	id:	ZDI-13-067	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-1536	Trust: 0.7
db:	ZDI	id:	ZDI-13-066	Trust: 0.7
db:	CNNVD	id:	CNNVD-201304-419	Trust: 0.7
db:	CISCO	id:	20130417 CISCO NETWORK ADMISSION CONTROL MANAGER SQL INJECTION VULNERABILITY	Trust: 0.6
db:	SECUNIA	id:	53130	Trust: 0.6
db:	BID	id:	59271	Trust: 0.4
db:	VULHUB	id:	VHN-61179	Trust: 0.1

sources: ZDI: ZDI-13-067 // ZDI: ZDI-13-066 // VULHUB: VHN-61179 // BID: 59271 // JVNDB: JVNDB-2013-002414 // CNNVD: CNNVD-201304-419 // NVD: CVE-2013-1177

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20130417-nac	Trust: 3.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-1177	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-1177	Trust: 0.8
url:	http://secunia.com/advisories/53130	Trust: 0.6
url:	http://www.cisco.com/en/us/products/ps6128/index.html	Trust: 0.3

sources: ZDI: ZDI-13-067 // ZDI: ZDI-13-066 // VULHUB: VHN-61179 // BID: 59271 // JVNDB: JVNDB-2013-002414 // CNNVD: CNNVD-201304-419 // NVD: CVE-2013-1177

CREDITS

Nenad Stojanovski

Trust: 1.4

sources: ZDI: ZDI-13-067 // ZDI: ZDI-13-066

SOURCES

db:	ZDI	id:	ZDI-13-067
db:	ZDI	id:	ZDI-13-066
db:	VULHUB	id:	VHN-61179
db:	BID	id:	59271
db:	JVNDB	id:	JVNDB-2013-002414
db:	CNNVD	id:	CNNVD-201304-419
db:	NVD	id:	CVE-2013-1177

LAST UPDATE DATE

2025-04-11T23:16:38.155000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-13-067	date:	2013-05-10T00:00:00
db:	ZDI	id:	ZDI-13-066	date:	2013-05-10T00:00:00
db:	VULHUB	id:	VHN-61179	date:	2013-04-19T00:00:00
db:	BID	id:	59271	date:	2013-05-13T11:12:00
db:	JVNDB	id:	JVNDB-2013-002414	date:	2013-04-22T00:00:00
db:	CNNVD	id:	CNNVD-201304-419	date:	2013-04-19T00:00:00
db:	NVD	id:	CVE-2013-1177	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-13-067	date:	2013-05-10T00:00:00
db:	ZDI	id:	ZDI-13-066	date:	2013-05-10T00:00:00
db:	VULHUB	id:	VHN-61179	date:	2013-04-18T00:00:00
db:	BID	id:	59271	date:	2013-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2013-002414	date:	2013-04-22T00:00:00
db:	CNNVD	id:	CNNVD-201304-419	date:	2013-04-19T00:00:00
db:	NVD	id:	CVE-2013-1177	date:	2013-04-18T18:55:06.910