SQL Injection Vulnerability in Cisco Emergency Responder
CVE-2017-12227

5.4MEDIUM

Key Information:

Vendor
Cisco
Status
Cisco Emergency Responder
Vendor
CVE Published:
7 September 2017

Summary

A flaw in the SQL database interface for Cisco Emergency Responder allows an authenticated remote attacker to perform a blind SQL injection. This vulnerability arises from inadequate validation of user input in SQL queries, enabling an attacker to bypass security filters. By crafting malicious URLs embedded with SQL statements, the attacker can potentially view or alter database entries, compromising data integrity. This could lead to unauthorized data manipulation and breaches within the affected systems.

Affected Version(s)

Cisco Emergency Responder Cisco Emergency Responder

References

http://www.securitytracker.com/id/1039287
vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/100653
vdb-entryx_refsource_BID
https://tools.cisco.com/security/center/content/CiscoSecu...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.