Cisco patched a Prime License Manager SQL injection vulnerability which could allow an unauthenticated, remote attacker to execute arbitrary SQL queries
The vulnerability in the product’s web framework code was caused by a lack of proper validation of user-supplied input in SQL queries and as a result, an attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application, according to a Nov. 28 advisory.
The vulnerability affects Cisco Prime License Manager Releases 11.0.1 and later and both standalone deployments of Cisco Prime License Manager and coresident deployments are affected.
“A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user,” the advisory said. “Cisco has released software updates that address this vulnerability”
There are no workarounds that address the flaw.