Cisco Unified Communications Manager and Unified Presence Server SQL Injection Vulnerability

Bugtraq ID:	69200
Class:	Input Validation Error
CVE:	CVE-2014-3339
Remote:	Yes
Local:	No
Published:	Aug 12 2014 12:00AM
Updated:	Aug 14 2014 12:02AM
Credit:	Cisco
Vulnerable:
Not Vulnerable:

Cisco Unified Communications Manager and Unified Presence Server SQL Injection Vulnerability

Cisco Unified Communications Manager and Unified Presence Server are prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An authenticated attacker can leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue is tracked by Cisco Bug ID CSCup74290.

Cisco Unified Communications Manager and Unified Presence Server SQL Injection Vulnerability

An attacker can exploit this issue using a web browser.

Cisco Unified Communications Manager and Unified Presence Server SQL Injection Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Cisco Unified Communications Manager and Unified Presence Server SQL Injection Vulnerability

References:

• Cisco Homepage (Cisco)
  
• Cisco TelePresence Homepage (Cisco)