First published: Thu Mar 19 2020(Updated: )
A vulnerability in the web UI of Cisco SD-WAN Solution vManage software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web UI improperly validates SQL values. An attacker could exploit this vulnerability by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the attacker to modify values on, or return values from, the underlying database as well as the operating system.
Credit: ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Sd-wan Firmware | <19.2.2 | |
Cisco 1100-4g Integrated Services Router | ||
Cisco 1100-4gltegb Integrated Services Router | ||
Cisco 1100-4gltena Integrated Services Router | ||
Cisco 1100-6g Integrated Services Router | ||
Cisco Vedge 100 | ||
Cisco Vedge 1000 | ||
Cisco Vedge 100b | ||
Cisco Vedge 100m | ||
Cisco Vedge 100wm | ||
Cisco Vedge 2000 | ||
Cisco Vedge 5000 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-16012 is a vulnerability in the web UI of Cisco SD-WAN Solution vManage software that allows an authenticated remote attacker to conduct SQL injection attacks.
CVE-2019-16012 affects Cisco SD-WAN Solution vManage software by allowing an authenticated remote attacker to conduct SQL injection attacks.
CVE-2019-16012 has a severity rating of 8.1 (High).
An attacker can exploit CVE-2019-16012 by taking advantage of the web UI's improper validation of SQL values.
Yes, Cisco has released a security advisory with instructions to mitigate the vulnerability. Please refer to the reference link for more information.