Vulnerability Details : CVE-2021-1282
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
Vulnerability category: Sql InjectionDirectory traversal
Products affected by CVE-2021-1282
- cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:*:*:*:*
- Cisco » Unified Communications ManagerVersions from including (>=) 12.0 and before (<) 12.0\(1\)su4cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:*:*:*:*
- Cisco » Unified Communications ManagerVersions from including (>=) 12.5 and before (<) 12.5\(1\)su4cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:*:*:*:*
- Cisco » Unified Communications Manager » Session Management EditionVersions from including (>=) 12.5 and before (<) 12.5\(1\)su4cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:*
- Cisco » Unified Communications Manager » Session Management EditionVersions from including (>=) 12.0 and before (<) 12.0\(1\)su4cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:*
- Cisco » Unified Communications Manager » Session Management EditionVersions before (<) 11.5\(1\)su9cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:*
- Cisco » Unified Communications Manager Im And Presence ServiceVersions from including (>=) 12.0 and before (<) 12.5\(1\)su4cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-1282
0.45%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 62 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-1282
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
|
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
Cisco Systems, Inc. | |
|
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
1.2
|
3.6
|
NIST |
CWE ids for CVE-2021-1282
-
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.Assigned by: ykramarz@cisco.com (Secondary)
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-1282
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-imp-trav-inj-dM687ZD6
Cisco Unified Communications Products VulnerabilitiesVendor Advisory
Jump to