Patch/Configuration Management, Vulnerability Management

Cisco patches Prime License Manager SQL injection vulnerability

Cisco patched a Prime License Manager SQL injection vulnerability which could allow an unauthenticated, remote attacker to execute arbitrary SQL queries

The vulnerability in the product’s web framework code was caused by a lack of proper validation of user-supplied input in SQL queries and as a result, an attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application, according to a Nov. 28 advisory.

The vulnerability affects Cisco Prime License Manager Releases 11.0.1 and later and both standalone deployments of Cisco Prime License Manager and coresident deployments are affected.

“A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user,” the advisory said. “Cisco has released software updates that address this vulnerability”

There are no workarounds that address the flaw.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.