Sign-up

ID

VAR-201711-0305


CVE

CVE-2017-12276


TITLE

Cisco Prime Collaboration Provisioning Application input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-009839

DESCRIPTION

A vulnerability in the web framework code for the SQL database interface of the Cisco Prime Collaboration Provisioning application could allow an authenticated, remote attacker to impact the confidentiality and integrity of the application by executing arbitrary SQL queries, aka SQL Injection. The attacker could read or write information from the SQL database. The vulnerability is due to a lack of proper validation on user-supplied input within SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected application. An exploit could allow the attacker to determine the presence of certain values and write malicious input in the SQL database. The attacker would need to have valid user credentials. This vulnerability affects Cisco Prime Collaboration Provisioning Software Releases prior to 12.3. Cisco Bug IDs: CSCvf47935. Vendors have confirmed this vulnerability Bug ID CSCvf47935 It is released as.Information may be obtained and information may be altered. The software provides IP communications services functionality for IP telephony, voice mail, and unified communications environments

Trust: 1.98

sources: NVD: CVE-2017-12276 // JVNDB: JVNDB-2017-009839 // BID: 101640 // VULHUB: VHN-102782

AFFECTED PRODUCTS

vendor:ciscomodel:prime collaboration provisioningscope:ltversion:12.3

Trust: 1.8

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:11.1.0

Trust: 0.6

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:11.5.0

Trust: 0.6

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:11.0.0

Trust: 0.6

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:10.6.2

Trust: 0.6

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:10.5.1

Trust: 0.3

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:9.5

Trust: 0.3

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:9.0

Trust: 0.3

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:12.1

Trust: 0.3

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:11.6

Trust: 0.3

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:11.5

Trust: 0.3

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:11.2

Trust: 0.3

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:11.1

Trust: 0.3

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:11.0

Trust: 0.3

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:10.6

Trust: 0.3

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:10.5

Trust: 0.3

vendor:ciscomodel:prime collaboration provisioningscope:eqversion:10.0

Trust: 0.3

vendor:ciscomodel:prime collaborationscope:eqversion:11.5(0)

Trust: 0.3

vendor:ciscomodel:prime collaboration provisioningscope:neversion:12.3

Trust: 0.3

sources: BID: 101640 // JVNDB: JVNDB-2017-009839 // CNNVD: CNNVD-201711-077 // NVD: CVE-2017-12276

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12276
value: HIGH

Trust: 1.0

NVD: CVE-2017-12276
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201711-077
value: HIGH

Trust: 0.6

VULHUB: VHN-102782
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-12276
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-102782
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-12276
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-102782 // JVNDB: JVNDB-2017-009839 // CNNVD: CNNVD-201711-077 // NVD: CVE-2017-12276

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

problemtype:CWE-89

Trust: 1.1

sources: VULHUB: VHN-102782 // JVNDB: JVNDB-2017-009839 // NVD: CVE-2017-12276

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201711-077

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201711-077

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-009839

PATCH
title:cisco-sa-20171101-cpcpurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-cpcp
Trust: 0.8
title:Cisco Prime Collaboration Provisioning Fixes for application security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76080
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-009839 // 
            
            
            
            CNNVD: CNNVD-201711-077

EXTERNAL IDS
db:NVDid:CVE-2017-12276
Trust: 2.8
db:BIDid:101640
Trust: 2.0
db:SECTRACKid:1039711
Trust: 1.7
db:JVNDBid:JVNDB-2017-009839
Trust: 0.8
db:CNNVDid:CNNVD-201711-077
Trust: 0.7
db:VULHUBid:VHN-102782
Trust: 0.1
sources:
            
            
            VULHUB: VHN-102782 // 
            
            
            
            BID: 101640 // 
            
            
            
            JVNDB: JVNDB-2017-009839 // 
            
            
            
            CNNVD: CNNVD-201711-077 // 
            
            
            
            NVD: CVE-2017-12276

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171101-cpcp
Trust: 2.0
url:http://www.securityfocus.com/bid/101640
Trust: 1.7
url:http://www.securitytracker.com/id/1039711
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12276
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-12276
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-102782 // 
            
            
            
            BID: 101640 // 
            
            
            
            JVNDB: JVNDB-2017-009839 // 
            
            
            
            CNNVD: CNNVD-201711-077 // 
            
            
            
            NVD: CVE-2017-12276

CREDITS
Vincent Hutsebaut
Trust: 0.3
sources:
            
            
            BID: 101640

SOURCES
db:VULHUBid:VHN-102782
db:BIDid:101640
db:JVNDBid:JVNDB-2017-009839
db:CNNVDid:CNNVD-201711-077
db:NVDid:CVE-2017-12276

LAST UPDATE DATE
2024-11-23T22:30:38.191000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-102782date:2019-10-09T00:00:00
db:BIDid:101640date:2017-12-19T22:00:00
db:JVNDBid:JVNDB-2017-009839date:2017-11-24T00:00:00
db:CNNVDid:CNNVD-201711-077date:2019-10-17T00:00:00
db:NVDid:CVE-2017-12276date:2024-11-21T03:09:12.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-102782date:2017-11-02T00:00:00
db:BIDid:101640date:2017-11-01T00:00:00
db:JVNDBid:JVNDB-2017-009839date:2017-11-24T00:00:00
db:CNNVDid:CNNVD-201711-077date:2017-11-03T00:00:00
db:NVDid:CVE-2017-12276date:2017-11-02T16:29:00.397