Vulnerability Details : CVE-2014-3287
SQL injection vulnerability in BulkViewFileContentsAction.java in the Java interface in Cisco Unified Communications Manager (Unified CM) allows remote authenticated users to execute arbitrary SQL commands via crafted filename parameters in a URL, aka Bug ID CSCuo17337.
Vulnerability category: Sql Injection
Exploit prediction scoring system (EPSS) score for CVE-2014-3287
Probability of exploitation activity in the next 30 days: 0.10%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 41 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-3287
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST |
CWE ids for CVE-2014-3287
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3287
-
http://www.securitytracker.com/id/1030411
Cisco Unified Communications Manager Input Validation Flaw in 'BulkViewFileContentsAction.java' Lets Remote Authenticated Users Inject SQL Commands - SecurityTrackerThird Party Advisory;VDB Entry
-
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3287
Cisco Unified Communications Manager Java Interface SQL Injection VulnerabilityVendor Advisory
-
http://www.securityfocus.com/bid/68000
Cisco Unified Communications Manager Java Interface SQL Injection VulnerabilityThird Party Advisory;VDB Entry
Products affected by CVE-2014-3287
- cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:*:*:*:*