You are here

V-139: Cisco Network Admission Control Input Validation Flaw Lets Remote Users Inject SQL Commands

April 21, 2013 - 11:50pm

Addthis

 PROBLEM:

Cisco Network Admission Control Input Validation Flaw Lets Remote Users Inject SQL Commands

PLATFORM:

Cisco NAC Manager versions prior to 4.8.3.1 and 4.9.2

ABSTRACT:

A vulnerability was reported in Cisco Network Admission Control.

REFERENCE LINKS:

SecurityTracker Alert ID:  1028451
Cisco Advisory ID: cisco-sa-20130417-nac
CVE-2013-1177

IMPACT ASSESSMENT:

High

DISCUSSION:

The Cisco Network Admission Control (NAC) Manager does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

IMPACT:

A remote user can execute SQL commands on the underlying database.

SOLUTION:

The vendor has issued a fix (4.8.3.1, 4.9.2).

Addthis