CVE-2014-3339

Multiple SQL injection vulnerabilities in the administrative web interface in Cisco Unified Communications Manager (CM) and Cisco Unified Presence Server (CUPS) allow remote authenticated users to execute arbitrary SQL commands via crafted input to unspecified pages, aka Bug ID CSCup74290.

CVSS v2.0 6.5 MEDIUM

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3339	Vendor Advisory
http://www.securityfocus.com/bid/69200
https://exchange.xforce.ibmcloud.com/vulnerabilities/95250

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:unified_communications_domain_manager:-:::::::*
	cpe:2.3:a:cisco:unified_presence_server::::::::

History

No history.

Information

Published : 2014-08-12 23:55

Updated : 2017-08-29 01:34

NVD link : CVE-2014-3339

Mitre link : CVE-2014-3339

CVE.ORG link : CVE-2014-3339

JSON object : View

Products Affected

cisco

unified_presence_server
unified_communications_domain_manager

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2014-3339", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-08-12T23:55:03.957", "references": [{"url": "http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3339", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}, {"url": "http://www.securityfocus.com/bid/69200", "source": "ykramarz@cisco.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95250", "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in the administrative web interface in Cisco Unified Communications Manager (CM) and Cisco Unified Presence Server (CUPS) allow remote authenticated users to execute arbitrary SQL commands via crafted input to unspecified pages, aka Bug ID CSCup74290."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en la interfaz del web de administraci\u00f3n en Cisco Unified Communications Manager (CM) y Cisco Unified Presence Server (CUPS) permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s de entradas manipuladas en p\u00e1ginas no especificadas, tambi\u00e9n conocido como Bug ID CSCup74290."}], "lastModified": "2017-08-29T01:34:42.810", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:unified_communications_domain_manager:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FAC05C99-071F-47E7-A3B6-899488520663"}, {"criteria": "cpe:2.3:a:cisco:unified_presence_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7D3C9AF1-A2BF-4F56-BE38-ED6DC45E94E7"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}