Cisco Prime Collaboration Provisioning 10.6.x / 11.0.x < 11.0.0.815 Web Framework SQLi (cisco-sa-20151008-pcp)

medium Nessus Plugin ID 91344

Synopsis

The remote network management device is affected by a SQL injection vulnerability.

Description

According to its self-reported version number, the Cisco Prime Collaboration Provisioning (PCP) device is 10.6.x or 11.0.x prior to 11.0.0.582. It is, therefore, affected by a SQL injection vulnerability in the web framework component due to improper sanitization of user-supplied input before using it in SQL queries. An authenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Solution

Upgrade to Cisco Prime Collaboration Provisioning version 11.0.0.815 or later.

See Also

http://www.nessus.org/u?3ffcc0c2

Plugin Details

Severity: Medium

ID: 91344

File Name: cisco_prime_cp_sa-20151008-pcp.nasl

Version: 1.3

Type: combined

Family: CISCO

Published: 5/9/2016

Updated: 7/6/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:cisco:prime_collaboration_provisioning

Required KB Items: Host/Cisco/PrimeCollaborationProvisioning/version

Exploit Ease: No known exploits are available

Patch Publication Date: 10/8/2015

Vulnerability Publication Date: 10/8/2015

Reference Information

CVE: CVE-2015-6329

BID: 77050

CISCO-SA: cisco-sa-20151008-pcp

CISCO-BUG-ID: CSCut64074