VDB
CVE-2023-20010
CVE-2023-20010
PUBLISHED
CVSS 8.100000381469727 HIGH
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to read or modify any data on the underlying database or elevate their privileges.
EPSS 0.29% · 52.8th percentile
Risk Scores
CVSS 3.1
8.100000381469727
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.29%
52.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| cisco | unified_communications_manager | 0, *, 14.0 |
| Cisco | Unified Communications Manager | |
| Cisco | Cisco Unified Communications Manager | 12.5(1)SU4, 12.5(1)SU6, 14 |
Exploit Intelligence
- cisco-sa-cucm-sql-rpPczR8n (circl)
Timeline
- Jan 19, 2023 CVE Published
- Jan 20, 2023 EPSS Score
- Mar 2, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 11, 2023 EPSS Score
- May 22, 2023 EPSS Score
- Jul 1, 2023 EPSS Score
- Aug 11, 2023 EPSS Score
- Sep 20, 2023 EPSS Score
- Oct 31, 2023 EPSS Score
- Dec 10, 2023 EPSS Score
- Jan 20, 2024 EPSS Score