CVE-2024-20340

Published: Oct 23, 2024Modified: Mar 4, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, an attacker must have a valid account on the device with the role of Security Approver, Intrusion Admin, Access Admin, or Network Admin. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to read the contents of databases on the affected device and also obtain limited read access to the underlying operating system.

Affected (39)

Products: Cisco: Secure Firewall Management Center

Cisco

1 product

Secure Firewall Management Center

Configuration A

39 vulnerable

Vulnerable Software	Affected Versions
Cisco Secure Firewall Management Center	Version 7.0.0.1
Cisco Secure Firewall Management Center	Version 7.0.0
Cisco Secure Firewall Management Center	Version 7.0.1.1
Cisco Secure Firewall Management Center	Version 7.0.1
Cisco Secure Firewall Management Center	Version 7.0.2.1
Cisco Secure Firewall Management Center	Version 7.0.2
Cisco Secure Firewall Management Center	Version 7.0.3
Cisco Secure Firewall Management Center	Version 7.0.4
Cisco Secure Firewall Management Center	Version 7.0.5
Cisco Secure Firewall Management Center	Version 7.0.6.1
Cisco Secure Firewall Management Center	Version 7.0.6.2
Cisco Secure Firewall Management Center	Version 7.0.6
Cisco Secure Firewall Management Center	Version 7.1.0.1
Cisco Secure Firewall Management Center	Version 7.1.0.2
Cisco Secure Firewall Management Center	Version 7.1.0.3
Cisco Secure Firewall Management Center	Version 7.1.0
Cisco Secure Firewall Management Center	Version 7.2.0.1
Cisco Secure Firewall Management Center	Version 7.2.0
Cisco Secure Firewall Management Center	Version 7.2.1
Cisco Secure Firewall Management Center	Version 7.2.2
Cisco Secure Firewall Management Center	Version 7.2.3.1
Cisco Secure Firewall Management Center	Version 7.2.3
Cisco Secure Firewall Management Center	Version 7.2.4.1
Cisco Secure Firewall Management Center	Version 7.2.4
Cisco Secure Firewall Management Center	Version 7.2.5.1
Cisco Secure Firewall Management Center	Version 7.2.5.2
Cisco Secure Firewall Management Center	Version 7.2.5
Cisco Secure Firewall Management Center	Version 7.2.6
Cisco Secure Firewall Management Center	Version 7.2.7
Cisco Secure Firewall Management Center	Version 7.2.8.1
Cisco Secure Firewall Management Center	Version 7.2.8
Cisco Secure Firewall Management Center	Version 7.3.0
Cisco Secure Firewall Management Center	Version 7.3.1.1
Cisco Secure Firewall Management Center	Version 7.3.1.2
Cisco Secure Firewall Management Center	Version 7.3.1
Cisco Secure Firewall Management Center	Version 7.4.0
Cisco Secure Firewall Management Center	Version 7.4.1.1
Cisco Secure Firewall Management Center	Version 7.4.1
Cisco Secure Firewall Management Center	Version 7.4.2

Related CWEs

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (1)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-sql-inject-2EnmTC8v

Source: psirt@cisco.com

Vendor Advisory

Timeline

No history available yet.