Executive Summary
Summary | |
---|---|
Title | Cisco Secure Access Control System SQL Injection Vulnerability |
Informations | |||
---|---|---|---|
Name | cisco-sa-20150211-csacs | First vendor Publication | 2015-02-11 |
Vendor | Cisco | Last vendor Modification | 2015-02-11 |
Severity (Vendor) | N/A | Revision | 2.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Cisco Secure Access Control System (ACS) prior to version 5.5 patch 8 is vulnerable to a SQL injection attack in the ACS View reporting interface pages. A successful attack could allow an authenticated, remote attacker to access and modify information such as RADIUS accounting records stored in one of the ACS View databases or to access information in the underlying file system. A previous version of this advisory indicated that a product running version 5.5 patch 7 was not vulnerable; however, customers running version 5.5 patch 7 should upgrade to patch 8 to completely mitigate the vulnerability described in this advisory. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150211-csacs BEGIN PGP SIGNATURE Version: GnuPG v1.4.5 (SunOS) iQIVAwUBVQCdtIpI1I6i1Mx3AQL8Qw//XbvxV5C6/9G1jCcpl5xlmfE0h3sKvDkl SXi1zpjf0U1KFQF8mP3LZbP8AM2BXm6jvOHw78ePjAEEKy7oxEZ3YxoM+HU5vWxQ 7KH/Oe56AxlRohai1JUOrmcAudS/QfpDloi8rpBjCtXq0uEhm7yg66jddw0evLqK MM4N8y2/5Pi+3AwXzL2rqWylrr0UzuXLhCBz16/mUBiXkxWhkYBkt64aUTx9nLP8 ME0A9w0wqnCAn0WN+DLOJ+CyvQ0hiMFB5msfRa9S4Sr1qkrkYvS9Un3tAtrxq0ZZ gJ98sNFQ7Da9nsfng63tAdSL7VlYs7pgV9r6paMjMYrtZl6arFWBBiOgzKwcCyG2 D5neX6zWXGsg617SdCHbQBb1o4GcFSbBFxEK+AQQ+TspeTNCnOEYwkt/h8rtB24L X8NTDT8NtuntuY5LZcTXQxM8lWWxKtcJVNuO2DjutmSwTZgK+TImFVQ18v1epRAB qyzEKVHJfGO5qiBexm7XIHxDXejEolkY9Sh9UQO0qGOxgC17TROrqv1FIsxEqcn9 YLn1iA1V3tH0HLsXo4LOD7ufqLUPgZwTspMRy0rO0XMkZFzlGNLRqwYu9yfneGZR 6FDUG76UdcIRRtumDn2pGYzE4V/YyDfDOzJiUIq8riRTD4977YioaTdnEyJepenm 7LJmxDQ8hIc= =D/X8 END PGP SIGNATURE _______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com |
Original Source
Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...) |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2015-02-19 | IAVM : 2015-A-0040 - Cisco Secure Access Control System (ACS) SQL Injection Vulnerability Severity : Category I - VMSKEY : V0058909 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-02-20 | Name : The remote host is missing a vendor-supplied security patch. File : cisco-sa-20150211-csacs.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-10-18 17:22:07 |
|
2015-03-12 17:22:11 |
|
2015-02-21 13:24:13 |
|
2015-02-13 00:25:36 |
|
2015-02-11 17:22:24 |
|