Cisco CallManager/Unified Communications Manager Logon Page XSS and SQL Injection
Thursday, 30 August 2007
Cisco has made free software available to address these vulnerabilities for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml.
Cisco CallManager and Unified Communications Manager versions prior to the following are affected by these vulnerabilities:
The software version of a CallManager or Unified Communications Manager system can be determined by navigating to Show > Software via the administration interface.
For Unified Communications Manager version 5.0, the software version can also be determined by running the command show version active in the Command Line Interface (CLI).
For CallManager and Unified Communications Manager version 3.x and 4.x systems, the software version can be determined by navigating to Help > About Cisco Unified CallManager and selecting the Details button via the administration interface.
Note: Cisco Unified CallManager versions 4.3, 5.1 and 6.0 have been renamed to Cisco Unified Communications Manager. Software versions 3.3, 4.0, 4.1, 4.2 and 5.0 retain the Cisco Unified CallManager name.
Products confirmed not vulnerable
No other Cisco products are known to be affected by this vulnerability.
No other versions of CallManager or Unified Communications Manager are vulnerable.
For more details about the vulnerabilities, read the original advisory at:
Share this content: