SQL Injection in Cisco Unity_connection

CVE-2015-6299

SQL injection vulnerability in the web interface in Cisco Unity Connection 9.1(1.2) and earlier allows remote authenticated users to execute arbitrary SQL commands via a crafted POST request, aka Bug ID CSCuv63824.

Vulnerability class: SQL Injection

EPSS: 0.003 (52.4th percentile) — read the EPSS interpretation.

Affected products

Cisco Unity_connection — versions 9.1\(1\), 9.1\(2\)
N/a — versions n/a

Weakness classification (CWE)

CWE-89 — SQL Injection

References

20150918 Cisco Unity Connection Web Interface SQL Injection Vulnerability (x_refsource_CISCO, vendor-advisory, Vendor Advisory)
1033622 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_SECTRACK)