Cisco Fixed SQL Injection Vulnerability in Cisco Prime License Manager

Cisco released a security update to address security vulnerabilities in the Cisco Prime License Manager, which can be exploited by an attacker to perform arbitrary SQL queries. The vulnerability was reported by Saudi Information Technology Company, Suhail Alaskar.

The vulnerability stems from the lack of proper validation in SQL queries entered by users. An attacker could trigger a vulnerability by sending an HTTP POST request made to a vulnerable application that contained a malicious SQL statement.

“A vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries.

The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application. A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user.” 

Affected Products

  • Cisco Prime License Manager Releases 11.0.1 and later

Solution

Cisco released the patch to fix this vulnerability, users update Cisco Prime License Manager as soon as possible.