CVE-2021-1355

Name of the Vulnerable Software and Affected Versions Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) (affected versions not specified) Cisco Unified Communications Manager (Unified CM) (affected versions not specified) Cisco Unified Communications Manager Session Management Edition (Unified CM SME) (affected versions not specified)

Description The issue is related to multiple vulnerabilities, including path traversal and SQL injection attacks, in the Cisco Unified Communications Manager IM & Presence Service. One of the SQL injection vulnerabilities also affects Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition. The vulnerability is associated with input validation errors in the web interface, which could allow a remote attacker to execute arbitrary SQL queries.

Recommendations For Cisco Unified Communications Manager IM & Presence Service, consider restricting access to the SQL database to minimize the risk of exploitation. For Cisco Unified Communications Manager, restrict access to the vulnerable SQL injection endpoint until a patch is available. For Cisco Unified Communications Manager Session Management Edition, avoid using the vulnerable SQL query function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.