Details of VAR-202301-1643

ID

VAR-202301-1643

CVE

CVE-2023-20010

TITLE

Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-002347

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to read or modify any data on the underlying database or elevate their privileges. (DoS) It may be in a state

Trust: 1.8

sources: NVD: CVE-2023-20010 // JVNDB: JVNDB-2023-002347 // VULHUB: VHN-444777 // VULMON: CVE-2023-20010

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	lt	version:	14su2	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	gte	version:	14.0	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	gte	version:	11.5\(1\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lt	version:	12.5\(1\)su7	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco unified communications manager	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco unified communications manager	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-002347 // NVD: CVE-2023-20010

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2023-20010
value:	HIGH
Trust: 1.8
ykramarz@cisco.com:	CVE-2023-20010
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202301-1557
value:	HIGH
Trust: 0.6

NVD:
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2023-20010
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-002347 // CNNVD: CNNVD-202301-1557 // NVD: CVE-2023-20010 // NVD: CVE-2023-20010

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.1
problemtype:	SQL injection (CWE-89) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-444777 // JVNDB: JVNDB-2023-002347 // NVD: CVE-2023-20010

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202301-1557

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202301-1557

CONFIGURATIONS

sources: NVD: CVE-2023-20010

PATCH

title:	cisco-sa-cucm-sql-rpPczR8n	url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cucm-sql-rppczr8n	Trust: 0.8
title:	Cisco Unified Communications Manager SQL Repair measures for injecting vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqbyid.tag?id=223501	Trust: 0.6
title:	Cisco: Cisco Unified Communications Manager SQL Injection Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-cucm-sql-rppczr8n	Trust: 0.1

sources: VULMON: CVE-2023-20010 // JVNDB: JVNDB-2023-002347 // CNNVD: CNNVD-202301-1557

EXTERNAL IDS

db:	NVD	id:	CVE-2023-20010	Trust: 3.4
db:	JVNDB	id:	JVNDB-2023-002347	Trust: 0.8
db:	CNNVD	id:	CNNVD-202301-1557	Trust: 0.6
db:	VULHUB	id:	VHN-444777	Trust: 0.1
db:	VULMON	id:	CVE-2023-20010	Trust: 0.1

sources: VULHUB: VHN-444777 // VULMON: CVE-2023-20010 // JVNDB: JVNDB-2023-002347 // CNNVD: CNNVD-202301-1557 // NVD: CVE-2023-20010

REFERENCES

url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cucm-sql-rppczr8n	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2023-20010	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-20010/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-444777 // VULMON: CVE-2023-20010 // JVNDB: JVNDB-2023-002347 // CNNVD: CNNVD-202301-1557 // NVD: CVE-2023-20010

SOURCES

db:	VULHUB	id:	VHN-444777
db:	VULMON	id:	CVE-2023-20010
db:	JVNDB	id:	JVNDB-2023-002347
db:	CNNVD	id:	CNNVD-202301-1557
db:	NVD	id:	CVE-2023-20010

LAST UPDATE DATE

2024-01-29T19:09:23.236000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-444777	date:	2023-02-01T00:00:00
db:	VULMON	id:	CVE-2023-20010	date:	2023-01-20T00:00:00
db:	JVNDB	id:	JVNDB-2023-002347	date:	2023-07-05T07:56:00
db:	CNNVD	id:	CNNVD-202301-1557	date:	2023-02-02T00:00:00
db:	NVD	id:	CVE-2023-20010	date:	2024-01-25T17:15:24.623

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-444777	date:	2023-01-20T00:00:00
db:	VULMON	id:	CVE-2023-20010	date:	2023-01-20T00:00:00
db:	JVNDB	id:	JVNDB-2023-002347	date:	2023-07-05T00:00:00
db:	CNNVD	id:	CNNVD-202301-1557	date:	2023-01-20T00:00:00
db:	NVD	id:	CVE-2023-20010	date:	2023-01-20T07:15:13.340