Cisco Unified Communications Manager contains a vulnerability that could allow an unauthenticated, remote attacker to conduct SQL injection on a vulnerable system.
The vulnerability is in a JavaServer Pages (JSP) script due to insufficient checks on user-supplied input. An unauthenticated, remote attacker could exploit this vulnerability by submitting crafted parameters that contain malicious SQL commands to the vulnerable script. The processing of these parameters could allow the attacker to execute arbitrary SQL commands that could lead to a modification of sensitive information in the underlying database.
Cisco has confirmed this vulnerability and has released updated software.
To exploit the vulnerability, an attacker would need to be able to access the Cisco Unified Communications Manager and inject SQL commands on the vulnerable system. Depending on network configurations, an attacker may need access to internal networks. The access requirement could increase the difficulty of an exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.