VYPR
← All advisories
Unrated severityNVD Advisory· Published May 3, 2011· Updated Apr 29, 2026

CVE-2011-1610

CVE-2011-1610

Description

Multiple SQL injection vulnerabilities in Cisco Unified Communications Manager allow unauthenticated remote attackers to execute arbitrary SQL commands via the xmldirectorylist.jsp script.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple SQL injection vulnerabilities in Cisco Unified Communications Manager allow unauthenticated remote attackers to execute arbitrary SQL commands via the xmldirectorylist.jsp script.

Vulnerability

The embedded Apache HTTP Server component in Cisco Unified Communications Manager (CUCM) contains multiple SQL injection vulnerabilities in the xmldirectorylist.jsp script. The f, l, and n parameters are not properly sanitized before being passed to the database, allowing injection of arbitrary SQL statements. Affected versions include CUCM 6.x before 6.1(5)su3, 7.x before 7.1(5)su4, 8.0 before 8.0(3a)su2, and 8.5 before 8.5(1)su1 [1][3].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending crafted HTTP requests to the vulnerable xmldirectorylist.jsp endpoint. The attacker injects malicious SQL code into the f, l, or n parameters, which are then executed by the backend database [3]. No special network position or user interaction is required.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized disclosure of sensitive information, modification or deletion of data, and potentially full compromise of the database server [1]. The impact is limited to the database layer, but given the critical role of CUCM in voice communications, the consequences can be severe.

Mitigation

Cisco has released fixed versions to address these vulnerabilities: 6.1(5)su3, 7.1(5)su4, 8.0(3a)su2, and 8.5(1)su1 [1]. Administrators should upgrade to the appropriate fixed version as soon as possible. No workarounds are documented. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Cisco Products: Networking, Security, Data Center
  2. ZDI-11-143

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

49
  • Cisco Systems, Inc./Unified Communications Manager49 versions
    cpe:2.3:a:cisco:unified_communications_manager:6.0:*:*:*:*:*:*:*+ 48 more
    • cpe:2.3:a:cisco:unified_communications_manager:6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(1\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(1a\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(1b\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(2\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(2\)su1:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(2\)su1a:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(3\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(3a\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(3b\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(3b\)su1:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(4\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(4a\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(4a\)su2:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(4\)su1:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(5\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(5\)su1:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:6.1\(5\)su2:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.0\(1\)su1:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.0\(1\)su1a:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.0\(2\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.0\(2a\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.0\(2a\)su1:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.0\(2a\)su2:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(2a\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(2a\)su1:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(2b\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(2b\)su1:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(3\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(3a\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(3a\)su1:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(3a\)su1a:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(3b\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(3b\)su1:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(3b\)su2:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(5\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(5a\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(5b\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(5b\)su2:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(5b\)su3:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(5\)su1:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:7.1\(5\)su1a:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:8.0\(2c\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:8.0\(2c\)su1:*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:8.0\(3\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:8.0\(3a\):*:*:*:*:*:*:*
    • cpe:2.3:a:cisco:unified_communications_manager:8.0\(3a\)su1:*:*:*:*:*:*:*
    • (no CPE)range: 6.x < 6.1(5)su3, 7.x < 7.1(5)su4, 8.0 < 8.0(3a)su2, 8.5 < 8.5(1)su1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

9

News mentions

0

No linked articles in our index yet.