Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-1609 — SQL Injection in Cisco Unified Communications Manager

CWE-89 — SQL Injection5 documents5 sources

Severity

8.5HIGHNVD

EPSS

1.8%

top 17.10%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Cisco Unified Communications Manager

Timeline

PublishedMay 3

Latest updateMay 17

Description

SQL injection vulnerability in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x before 6.1(5)su2, 7.x before 7.1(5)su1, 8.0 before 8.0(3), and 8.5 before 8.5(1) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCtg85647.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 6.8 | Impact: 10.0

Affected Packages1 packages

▶NVDcisco/unified_communications_manager45 versions+44

🔴Vulnerability Details

GHSA

GHSA-x2j3-3jfh-q9x7: SQL injection vulnerability in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6↗2022-05-17

▶

CVEList

CVE-2011-1609: SQL injection vulnerability in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6↗2011-05-03

▶

💥Exploits & PoCs

Exploit-DB

Cisco Unified Communications Manager 8.5 - 'xmldirectorylist.jsp' Multiple SQL Injections↗2011-04-27

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Cisco Unified Communications Manager xmldirectorylist.jsp SQL Injection Attempt↗2011-05-03

▶