U radu programskog paketa Cisco Unified Operations Manager (CUOM) uočena su tri sigurnosna propusta koja je moguće iskoristiti za izvođenje XSS napada ili umetanje SQL koda.

Cisco Unified Operations Manager SQL Injection and Cross Site Scripting

VUPEN ID 	VUPEN/ADV-2011-1268
CVE ID 	CVE-2011-0959 - CVE-2011-0960 - CVE-2011-0962
 
CWE ID 	Available in Customer Area
CVSS V2 	Available in Customer Area
Rated as 	Moderate Risk 
Impact 	Available in Customer Area
Authentication Level 	Available in Customer Area
Access Vector 	Available in Customer Area
Release Date 	2011-05-19
Share 	Twitter LinkedIn Facebook Delicious Digg Slashdot

Technical Description

Multiple vulnerabilities have been identified in Cisco Unified Operations Manager (CUOM), which could be exploited to inject scripting code or SQL queries. These issues are caused by input validation errors in the "ServerHelpEngine", "PRTestCreation.do", "TelePresenceReportAction.do" and other scripts, which could be exploited to conduct cross site scripting and SQL injection attacks.

Affected Products

Cisco Unified Operations Manager versions prior to 8.6

Solution 

Apply patches :
http://tools.cisco.com/security/center/viewAlert.x?alertId=23085
http://tools.cisco.com/security/center/viewAlert.x?alertId=23086
http://tools.cisco.com/security/center/viewAlert.x?alertId=23087

References

http://www.vupen.com/english/advisories/2011/1268
http://tools.cisco.com/security/center/viewAlert.x?alertId=23085
http://tools.cisco.com/security/center/viewAlert.x?alertId=23086
http://tools.cisco.com/security/center/viewAlert.x?alertId=23087
http://seclists.org/fulldisclosure/2011/May/369
http://seclists.org/fulldisclosure/2011/May/382

Credits 

Vulnerabilities reported by Sense of Security Labs.

Changelog 

2011-05-19 : Initial release