Cisco Smart Net Total Care SQL Injection Vulnerability

A vulnerability in the web-based management interface of the Cisco Smart Net Total Care (SNTC) Contracts Details Page could allow an authenticated, remote attacker to perform a read-only, blind SQL injection attack.

Threat ID:: CC-1615
Category:: Exploit
Threat Severity:: Low
Threat Vector:
Published:: 31 August 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

This could allow the attacker to compromise the confidentiality of the system through SQL timing attacks.

The vulnerability is due to insufficient input validation of certain user-supplied fields that are subsequently used by the affected software to build SQL queries. An attacker could exploit this vulnerability by submitting crafted URLs, which are designed to exploit the vulnerability, to the affected software. To execute an attack successfully, the attacker would need to submit a number of requests to the affected software. A successful exploit could allow the attacker to determine the presence of values in the SQL database of the affected software.

Remediation steps

Type	Step
	Currently no workarounds exist for this vulnerability. Users and administrators are encouraged to regularly review the following Cisco security advisory and apply the necessary updates when they become available: cisco-sa-20170802-sntc

Type

Step

Currently no workarounds exist for this vulnerability.

Users and administrators are encouraged to regularly review the following Cisco security advisory and apply the necessary updates when they become available:

cisco-sa-20170802-sntc

Last edited: 17 February 2020 11:29 am