Cisco published an advisory report yesterday detailing multiple vulnerabilities in there Unified Communications Manager.
There are three denial of service vulnerabilities that affect session initiation protocol services, two SQL injection vulnerabilities, and a directory transversal vulnerability.
These bugs affect versions 6-8 of Cisco’s Unified Communications Manager.
The DoS bugs are triggered by a malformed SIP message that could cause a critical process to fail, resulting in the failure of voice services.
The directory transversal vulnerability would allow a remote attacker the ability to intercept a packet to the affected device and specify different locations or filename, which could then be used to upload malicious files.
The SQL bugs could allow authorized and unauthorized remote attackers to modify system configurations, creating, modifying and deleting users and/or configurations of Cisco Unified Communications Manager.
Cisco has released updates to remedy affected versions and a work-around
exists for the session initiation protocol vulnerability.
For more information, visit Cisco’s security advisory page.