U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Cisco addressed SQL Injection flaw in Cisco Prime License Manager

Cisco has released security updates to address a vulnerability in the web framework code of Cisco Prime License Manager that could be exploited by an attacker to execute arbitrary SQL queries. Cisco has fixed a vulnerability in Cisco Prime License Manager that could be exploited by a remote unauthenticated attacker to execute arbitrary SQL queries. The flaw is caused by the […]

Cisco Catalyst

Cisco has released security updates to address a vulnerability in the web framework code of Cisco Prime License Manager that could be exploited by an attacker to execute arbitrary SQL queries.

Cisco has fixed a vulnerability in Cisco Prime License Manager that could be exploited by a remote unauthenticated attacker to execute arbitrary SQL queries.

The flaw is caused by the lack of proper validation SQL queries provided in input by the users. The attacker could trigger the flaw by sending crafted HTTP POST requests containing malicious SQL statements to the vulnerable applications.

“A vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries.” reads the advisory.” reads the advisory published by Cisco.

“The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application. A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user.” 

The flaw was reported by Suhail Alaskar from Saudi Information Technology Company. The flaw affects the Prime License Manager releases 11.0.1 and later, it impacts both standalone deployments of Cisco Prime License Manager and coresident deployments, where Prime License Manager is installed automatically as part of the installation of Cisco Unified Communications Manager and Cisco Unity Connection, are affected.

Cisco Unified Communications Manager and Cisco Unity Connection Releases 12.0 and later are not affected by this flaw as Cisco Prime License Manager is no longer included in these releases.

The are no workarounds to address the flaw, Cisco released the patch ciscocm.CSCvk30822_v1.0.k3.cop.sgn to address the flaw in Prime License Manager.

“This vulnerability is fixed in Cisco Prime License Manager Release patch ciscocm.CSCvk30822_v1.0.k3.cop.sgn.” continues the company. “The same COP file can be used with standalone deployments of Cisco Prime License Manager as well as with coresident deployments as part of Cisco Unified Communications Manager and Cisco Unity Connection and with all affected versions.” 

Cisco is not aware of attacks in the wild exploiting the flaw.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CISCO, SQL Injection)

[adrotate banner=”5″]

[adrotate banner=”13″]