Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2007-4634

CWE-89SQL Injection4 documents4 sources
Severity
9.3CRITICAL
EPSS
1.5%
top 18.72%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Cisco Call ManagerCisco Unified Communications Manager
Timeline
PublishedAug 31
Latest updateMay 1

Description

Multiple SQL injection vulnerabilities in Cisco CallManager and Unified Communications Manager (CUCM) before 3.3(5)sr2b, 4.1 before 4.1(3)sr5, 4.2 before 4.2(3)sr2, and 4.3 before 4.3(1)sr1 allow remote attackers to execute arbitrary SQL commands via the lang variable to the (1) user or (2) admin logon page, aka CSCsi64265.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

NVDcisco/call_manager16 versions+15

🔴Vulnerability Details

2
GHSA
GHSA-j2qg-mp2j-cf9c: Multiple SQL injection vulnerabilities in Cisco CallManager and Unified Communications Manager (CUCM) before 32022-05-01
CVEList
CVE-2007-4634: Multiple SQL injection vulnerabilities in Cisco CallManager and Unified Communications Manager (CUCM) before 32007-08-31

💥Exploits & PoCs

1
Exploit-DB
Cisco CallManager 4.2 / CUCM 4.2 - Logon Page 'lang' SQL Injection2007-08-29
CVE-2007-4634 (CRITICAL CVSS 9.3) | Multiple SQL injection vulnerabilit | cvebase.io