Spain
Portugal
Cisco has announced fixes for a serious SQL vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).
Developed as enterprise call and session management platforms, Cisco Unified CM and Unified CM SME ensure the compatibility of applications such as Webex, Jabber and others, as well as ensure their overall availability and security.
CVE-2023-20010 with a CVSS score of 8.1 is due to the fact that the data entered by the user is incorrectly checked in the platform management web interface.
The error allows an authenticated remote attacker to launch an SQL injection attack on a vulnerable system.
An attacker can take advantage of this vulnerability by logging into the application as a low-privilege user and sending the created SQL queries to the vulnerable system.
A successful exploit can allow an attacker to read or modify any data in the underlying database or elevate their privileges.
The bug affects Cisco Unified CM and Unified CM SME versions 11.5(1), 12.5(1) and 14, has been fixed in version 12.5(1)SU7.
The patch will also be included in version 14SU3, which is scheduled for release in March 2023.
Cisco also informed customers about the vulnerability of circumvention of URL filtering of moderate severity in the AsyncOS software for Email Security Appliance (ESA).
A remote attacker who is not authenticated can exploit the error through URLs.
This week Cisco also announced fixes for three medium-severity bugs in the Expressway Series and TelePresence Video Communication Server (VCS).
By affecting the APIs and web management interfaces of these products, vulnerabilities can be exploited by an authenticated remote attacker to write files or access sensitive data on a vulnerable device.
All Expressway Series and TelePresence VCS releases prior to 14.0.7 are vulnerable.
Cisco claims that it is not aware of the use of any of these vulnerabilities in real conditions.
Additional information about the shortcomings can be found in the safety recommendations.
