Cisco Unified Communications Domain Manager Application Software SQL Injection Vulnerability

A vulnerability in the Image Management functionality of Cisco Unified Communications Domain Manager Application Software could allow an authenticated, remote attacker to conduct SQL injection attacks.

The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker who could successfully authenticate to a targeted system could exploit this vulnerability by submitting crafted input to be processed by the system. A successful exploit could give the attacker the ability to access sensitive information stored in the database on an affected device, which could be used to conduct further attacks.

Cisco has confirmed the vulnerability and released software updates.

To exploit this vulnerability, an attacker must authenticate to the targeted device. This access requirement decreases the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.