Cisco Systems has released a security update that addresses flaws in its CallManager and Unified Communications Manager product line. An attacker can exploit the flaws to conduct cross-site scripting and SQL injection attacks.
Cisco CallManager (CCM) is the software-based call processing component for Cisco's IP telephony product line. Cisco Unified Communications Manager extends enterprise telephony features and capabilities to packet network devices such as IP phones, media processing devices, voice over IP (VoIP) gateways, and multimedia applications, according to the Cisco Web site. Additional services, such as unified messaging, multimedia conferencing, collaborative contact centers, and interactive multimedia response systems are made possible through open telephony APIs, Cisco said.
Danish vulnerability clearinghouse Secunia rates the flaws as moderately critical in its SA26641 advisory, describing two specific problems.
The input passed to unspecified parameters to the admin or user logon pages is not properly sanitised before being returned to the user, Secunia said. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Also, input passed to unspecified parameters to the admin or user logon pages is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code, Secunia said.
Secunia independently confirmed that the flaws affect Cisco CallManager and Unified Communications Manager released prior to versions 3.3(5)sr2b, 4.1(3)sr5, 4.2(3)sr2 and 4.3(1)sr1. The solution is to update to versions 3.3(5)sr2b, 4.1(3)sr5, 4.2(3)sr2, or 4.3(1)sr1.