Cisco Secure Access Control System SQLi Vulnerability (cisco-sa-20150211-csacs)

medium Nessus Plugin ID 81421

Synopsis

The remote host is missing a vendor-supplied security patch.

Description

The version of Cisco Secure Access Control System (ACS) running on the remote host is prior to 5.5 patch 7. It is, therefore, affected by a SQL injection vulnerability due to not properly sanitizing user input to the ACS View reporting interface pages. An authenticated, remote attacker, using crafted HTTP requests, can disclose or modify arbitrary data in the ACS View databases by injecting or manipulating SQL queries.

Solution

Upgrade to version 5.5 patch 7 or later.

See Also

http://www.nessus.org/u?e9cfc99c

https://tools.cisco.com/security/center/viewAlert.x?alertId=37354

Plugin Details

Severity: Medium

ID: 81421

File Name: cisco-sa-20150211-csacs.nasl

Version: 1.8

Type: local

Family: CISCO

Published: 2/20/2015

Updated: 11/25/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2015-0580

Vulnerability Information

CPE: cpe:/a:cisco:secure_access_control_system

Required KB Items: Host/Cisco/ACS/Version, Host/Cisco/ACS/DisplayVersion

Exploit Ease: No known exploits are available

Patch Publication Date: 11/17/2014

Vulnerability Publication Date: 2/11/2015

Reference Information

CVE: CVE-2015-0580

BID: 72576

CISCO-SA: cisco-sa-20150211-csacs

CISCO-BUG-ID: CSCuq79027