CVE-2023-20010

Name of the Vulnerable Software and Affected Versions Cisco Unified Communications Manager versions 11.5(1) through 14 Cisco Unified Communications Manager Session Management Edition versions 11.5(1) through 14

Description The issue is related to errors in processing input data in the web interface of the affected systems, allowing an authenticated, remote attacker to conduct SQL injection attacks. This could enable the attacker to read or modify any data on the underlying database or elevate their privileges. The vulnerability exists because the web-based management interface inadequately validates user input.

Recommendations For Cisco Unified Communications Manager versions 11.5(1) through 12.5(1), update to version 12.5(1)SU7. For Cisco Unified Communications Manager version 14, update to version 14SU3, which is scheduled for release in March 2023. As a temporary workaround, consider restricting access to the web-based management interface to minimize the risk of exploitation.