CVE-2019-12710

MEDIUM

Cisco Unified Communications Manager - Authenticated SQL Injection

Title source: llm
STIX 2.1

Description

A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an authenticated, remote attacker to impact the confidentiality of an affected system by executing arbitrary SQL queries. The vulnerability exists because the affected software improperly validates user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted requests that contain malicious SQL statements to the affected application. A successful exploit could allow the attacker to determine the presence of certain values in the database, impacting the confidentiality of the system.

References (1)

Core 1
Core References

Scores

CVSS v3 4.9
EPSS 0.0149
EPSS Percentile 71.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (4)
cisco/unified_communications_manager 10.5\(2.10000.5\)
cisco/unified_communications_manager 11.5\(1.10000.6\)
cisco/unified_communications_manager 12.0\(1.10000.10\)
cisco/unified_communications_manager 12.5\(1.10000.22\)
Published Oct 02, 2019
Tracked Since Feb 18, 2026