CVE-2017-6754

Name of the Vulnerable Software and Affected Versions Cisco Smart Net Total Care (SNTC) Software Collector Appliance version 3.11

Description A vulnerability in the web-based management interface could allow an authenticated, remote attacker to perform a read-only, blind SQL injection attack. This could compromise the confidentiality of the system through SQL timing attacks due to insufficient input validation of certain user-supplied fields used to build SQL queries. An attacker could exploit this by submitting crafted URLs to the affected software, requiring multiple requests to execute an attack successfully. A successful exploit could allow the attacker to determine the presence of values in the SQL database.

Recommendations For Cisco Smart Net Total Care (SNTC) Software Collector Appliance version 3.11, consider restricting access to the web-based management interface until a fix is available. As a temporary workaround, avoid using user-supplied fields that are used to build SQL queries to minimize the risk of exploitation.