SQL injection in Cisco Identity Services Engine



| Updated: 2016-10-27
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-6453
CWE-ID CWE-89
Exploitation vector Network
Public exploit N/A
Vulnerable software
Other
Vendor

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) SQL injection

EUVDB-ID: #VU1085

Risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-6453

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to inject SQL commands on the target system.
The weakness is due to improper input validation. By supplying a specially crafted parameter value, a remote attacker cam execute SQL commands.
Successful exploitation may result in the vulnerable system compromise.

Mitigation

Cybersecurity Help is currently unaware of any official patch addressing the vulnerability.

Vulnerable software versions

: 1.3

CPE2.3 External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-ise


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###