SQL Injection Vulnerability in Cisco Management Interfaces
CVE-2023-20271

6.5MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Prime Infrastructure; Cisco Evolved Programmable Network Manager (EPNM)
Vendor: CVE Published:; 17 January 2024

Summary

A vulnerability exists in the web-based management interfaces of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager. This issue arises from insufficient validation of user-submitted parameters, enabling authenticated, remote attackers to execute SQL injection attacks. By sending specially crafted requests after successful authentication, attackers may gain unauthorized access to sensitive data stored within the database. Successful exploitation of this vulnerability can lead to the modification and extraction of confidential information, posing significant risks to system integrity and data confidentiality.

Affected Version(s)

Cisco Evolved Programmable Network Manager (EPNM) 1.2.6

Cisco Evolved Programmable Network Manager (EPNM) 1.2.2

Cisco Evolved Programmable Network Manager (EPNM) 1.2.3

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 17, 2024
Vulnerability Reserved
Oct 27, 2022

Collectors

NVD DatabaseMitre Database