Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-0026

CWE-89 — SQL Injection CWE-200 — Information Exposure5 documents5 sources

Severity

6.5MEDIUM

EPSS

0.4%

top 42.17%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Cisco Unified Callmanager Cisco Unified Communications Manager

Timeline

PublishedFeb 14

Latest updateMay 1

Description

SQL injection vulnerability in Cisco Unified CallManager/Communications Manager (CUCM) 5.0/5.1 before 5.1(3a) and 6.0/6.1 before 6.1(1a) allows remote authenticated users to execute arbitrary SQL commands via the key parameter to the (1) admin and (2) user interface pages.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages2 packages

▶NVDcisco/unified_callmanager9 versions+8

▶NVDcisco/unified_communications_manager11 versions+10

🔴Vulnerability Details

GHSA

GHSA-v78v-p3w6-9x7h: SQL injection vulnerability in Cisco Unified CallManager/Communications Manager (CUCM) 5↗2022-05-01

▶

CVEList

CVE-2008-0026: SQL injection vulnerability in Cisco Unified CallManager/Communications Manager (CUCM) 5↗2008-02-14

▶

💥Exploits & PoCs

Exploit-DB

Cisco Unified Communications Manager 6.1 - 'key' SQL Injection↗2008-02-13

▶

📋Vendor Advisories

Cisco

SQL injection in Cisco Unified Communications Manager↗2008-02-13

▶