VDB

CVE-2023-20211

CVE-2023-20211 PUBLISHED CVSS 8.100000381469727 HIGH

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by authenticating to the application as a user with read-only or higher privileges and sending crafted HTTP requests to an affected system. A successful exploit could allow the attacker to read or modify data in the underlying database or elevate their privileges.

EPSS 0.23% · 45.5th percentile

Risk Scores

CVSS v3.1
8.100000381469727
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.23%
45.5th percentile

Affected Products

VendorProductVersions
CiscoCisco Unified Communications Manager12.0(1)SU2, 12.0(1)SU3, 12.0(1)SU4
ciscounified_communications_manager12.5\(1\), 12.5\(1\), 14.0
CiscoCisco Unified Communications Manager / Cisco Unity Connection10.5(1)SU1, 10.5(1)SU1a, 10.5(2)SU1

Timeline

  • Aug 16, 2023 CVE Published
  • Aug 18, 2023 EPSS Score
  • Sep 20, 2023 EPSS Score
  • Oct 23, 2023 EPSS Score
  • Nov 26, 2023 EPSS Score
  • Dec 29, 2023 EPSS Score
  • Jan 31, 2024 EPSS Score
  • Mar 4, 2024 EPSS Score
  • Apr 7, 2024 EPSS Score
  • May 10, 2024 EPSS Score
  • Jun 12, 2024 EPSS Score
  • Jul 15, 2024 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›