CVE-2011-1610

critical

Description

Multiple SQL injection vulnerabilities in xmldirectorylist.jsp in the embedded Apache HTTP Server component in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x before 6.1(5)su3, 7.x before 7.1(5)su4, 8.0 before 8.0(3a)su2, and 8.5 before 8.5(1)su1 allow remote attackers to execute arbitrary SQL commands via the (1) f, (2) l, or (3) n parameter, aka Bug ID CSCtj42064.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/67126

http://zerodayinitiative.com/advisories/ZDI-11-143/

http://www.vupen.com/english/advisories/2011/1122

http://www.securitytracker.com/id?1025449

http://www.securityfocus.com/bid/47607

http://www.securityfocus.com/archive/1/517727/100/0/threaded

http://www.cisco.com/en/US/products/products_security_advisory09186a0080b79904.shtml

http://secunia.com/advisories/44331

http://archives.neohapsis.com/archives/fulldisclosure/2011-05/0051.html

Details

Source: Mitre, NVD

Published: 2011-05-03

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.24822