CVE-2021-1362

Name of the Vulnerable Software and Affected Versions: Cisco Unified Communications Manager (affected versions not specified) Cisco Unified Communications Manager Session Management Edition (affected versions not specified) Cisco Unified Communications Manager IM & Presence Service (affected versions not specified) Cisco Unity Connection (affected versions not specified) Cisco Prime License Manager (affected versions not specified)

Description: The issue is related to improper sanitization of user-supplied input in the SOAP API endpoint, which could allow an authenticated, remote attacker to execute arbitrary code on an affected device. An attacker could exploit this by sending a SOAP API request with crafted parameters to an affected device, potentially allowing the execution of arbitrary code with root privileges on the underlying Linux operating system.

Recommendations: For Cisco Unified Communications Manager, update to a version that includes the fix for this issue. For Cisco Unified Communications Manager Session Management Edition, update to a version that includes the fix for this issue. For Cisco Unified Communications Manager IM & Presence Service, update to a version that includes the fix for this issue. For Cisco Unity Connection, update to a version that includes the fix for this issue. For Cisco Prime License Manager, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the SOAP API endpoint until a patch is available.