Cisco Unified CM is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications.Cisco Unified CM and associated products may contain one or more of the following blind SQL injection vulnerabilities. The vulnerabilities may be exploited from an authenticated or unauthenticated context depending on the particular vulnerability.SQL injection vulnerabilities are due to a failure to perform proper validation of user-supplied requests prior to being used to form an SQL query. An attacker could exploit this behavior by injecting SQL commands. An exploit could allow the attacker to disclose or modify arbitrary information in the database.The first of the identified vulnerabilities could be exploited by an unauthenticated, remote attacker. An exploit could allow the attacker to use metadata to recreate encrypted information in the database. This metadata could be used to reconstruct encrypted credentials.This vulnerability is documented in Cisco bug ID CSCuh01051 registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2013-3404. This vulnerability applies to Cisco Unified CM versions 9.1(1a) and prior.The second vulnerability could be exploited by an authenticated, remote attacker. An exploit could allow the attacker to modify or insert additional data into certain tables in the database.This vulnerability is documented in Cisco bug ID CSCuh81766 registered customers only) and has been assigned CVE ID CVE-2013-3412. This vulnerability applies to Cisco Unified CM versions 9.1(2) and prior.These vulnerabilities can be exploited over the default management ports, TCP ports 8080 or 8443.Cisco Unified Communications Manager (Unified CM) contains a hard-coded encryption key used for the encryption of sensitive data stored within the database, and securing computer telephony integration (CTI) communications.The issue is due to the use of a static symmetric encryption key in all Cisco Unified CM versions. An attacker could exploit this issue by using the secret key to decrypt sensitive data including user credentials. An exploit could allow the attacker to decrypt sensitive system information such as user credentials gained when using other attacks. This issue is documented in Cisco bug ID CSCsc69187 registered customers only). This issue applies to Cisco Unified CM versions 9.1(2) and prior.Cisco Unified Presence Server/IM & Presence Service versions 9.1(2) and prior are also affected by this issue. This issue is documented in Cisco bug ID CSCui01756 registered customers only).A vulnerability in Cisco Unified Communications Manager (Unified CM) could allow an authenticated, remote attacker to execute commands on the underlying operating system with the privileges of the database user.The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by submitting malicious input to the affected function.This vulnerability is documented in Cisco bug ID CSCuh73440 registered customers only) and has been assigned CVE ID CVE-2013-3402. This vulnerability applies to Cisco Unified CM versions 9.1(2) and prior.Vulnerabilities in Cisco Unified Communications Manager could allow an authenticated, local attacker to escalate privileges on the system.The vulnerabilities are due to improper file permissions, environment variables and relative paths in a privileged system script or binary. An attacker could exploit these vulnerabilities by modifying certain system scripts. This could allow the attacker to gain complete control of the affected system.This first two privilege escalation vulnerabilities are documented in Cisco bug ID CSCuh73454 registered customers only) and CSCuh87042 registered customers only) and have been assigned CVE ID CVE-2013-3403.A third privilege escalation vulnerability is documented in Cisco bug ID CSCui02242 registered customers only) and has been assigned CVE ID CVE-2013-3434.A fourth privilege escalation vulnerability is documented in Cisco bug ID CSCui02276 registered customers only) and has been assigned CVE ID CVE-2013-3433.These vulnerabilities apply to Cisco Unified CM versions 9.1(1a) and prior.