====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN326
_____________________________________________________________________

DATE                : 02/11/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Cisco Prime Collaboration Provisioning Software
                            versions prior to 12.3.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-cpcp
____________________________________________________________________

Cisco Security Advisory: Cisco Prime Collaboration Provisioning
Authenticated SQL Injection Vulnerability

Advisory ID: cisco-sa-20171101-cpcp

Revision: 1.0

For Public Release: 2017 November 1 16:00 GMT

Last Updated: 2017 November 1 16:00 GMT

CVE ID(s): CVE-2017-12276

CVSS Score v(3): 8.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

+---------------------------------------------------------------------

Summary
=======
A vulnerability in the web framework code for the SQL database
interface of the Cisco Prime Collaboration Provisioning application
could allow an authenticated, remote attacker to impact the
confidentiality and integrity of the application by executing arbitrary
SQL queries. The attacker could read or write information from the SQL
database.

The vulnerability is due to a lack of proper validation on
user-supplied input within SQL queries. An attacker could exploit this
vulnerability by sending crafted URLs that contain malicious SQL
statements to the affected application. An exploit could allow the
attacker to determine the presence of certain values and write
malicious input in the SQL database. The attacker would need to have
valid user credentials.

Cisco has released software updates that address this vulnerability.
There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-cpcp
["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-cpcp"]


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================