Cisco Patched a critical SQL Injection Vulnerability in Cisco Prime License Manager which allows an unauthenticated remote attacker to execute arbitrary SQL queries.
SQL injection is a code injection technique, in which attackers take non-validated input vulnerabilities and inject SQL commands through web applications that are executed in the backend database.
The vulnerability with Cisco Prime License Manager is due to lack of proper validation with the user-supplied input SQL queries. An unauthenticated remote attacker could exploit the vulnerability by sending an HTTP post request that contains a malicious SQL query.
Successful exploitation of the vulnerability could allow an attacker to delete or modify arbitrary data or to gain privilege access as Postgres user. The vulnerability can be tracked as CVE-2018-15441 and Cisco released software updates to address the vulnerability.
The vulnerability affects Cisco Prime License Manager Releases 11.0.1 and above, Cisco Unified Communications Manager and Cisco Unity Connection Releases 12.0 and later are not affected, as the License Manager not included in these versions.
Cisco released a patch ciscocm.CSCvk30822_v1.0.k3.cop.sgn for Cisco Prime License Manager and can be applicable to Cisco Unified Communications Manager and Cisco Unity Connection 11.5(1) only, the customer who uses earlier release should update for 11.5(1) reads the Cisco Security advisory.
The patch file along with the instructions can be downloaded from here.