Cisco Unity Connection Web Interface SQL Injection Vulnerability

A vulnerability in the web interface of Cisco Unity Connection (UC) could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries.

The vulnerability is due to a lack of input validation on user-supplied input in SQL queries. An attacker could exploit this vulnerability by entering a maliciously crafted value containing SQL commands as an HTTP POST request parameter. An exploit could allow the attacker to determine the presence of certain values in the database.

Cisco has confirmed the vulnerability; however, software updates are not available.

To exploit this vulnerability, an attacker must
authenticate to the targeted device. This access requirement may reduce
the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code
exists; however, the code is not known to be publicly available.

This vulnerability was reported to Cisco by Paul Heneghan from NCIA/NCIRC.