Cisco Unified MeetingPlace Unspecified SQLi (CSCuu54037)

medium Nessus Plugin ID 84727

Synopsis

The remote web server is running a conferencing application that is affected by a SQL injection vulnerability.

Description

According to its self-reported version number, the Cisco Unified MeetingPlace application hosted on the remote web server is potentially affected by a SQL injection vulnerability due to a failure to properly sanitize user-supplied input. An authenticated, remote attacker can exploit this to manipulate or disclose arbitrary data by sending a crafted SQL statement to the system.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Additionally, the coarse nature of the version information Nessus gathered is not enough to confirm that the application is vulnerable, only that it might be affected.

Solution

Upgrade to version 8.6(1.537) or greater.

Alternatively, contact the vendor regarding the patch for Cisco bug ID CSCuu54037.

See Also

http://www.nessus.org/u?ca146367

https://tools.cisco.com/bugsearch/bug/CSCuu54037

Plugin Details

Severity: Medium

ID: 84727

File Name: cisco-CSCuu54037-mp.nasl

Version: 1.6

Type: remote

Family: CISCO

Published: 7/14/2015

Updated: 6/4/2024

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:cisco:unified_meetingplace

Required KB Items: Settings/ParanoidReport, installed_sw/Cisco Unified MeetingPlace

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No known exploits are available

Patch Publication Date: 6/30/2015

Vulnerability Publication Date: 6/30/2015

Reference Information

CVE: CVE-2015-4233

BID: 75500

CISCO-BUG-ID: CSCuu54037