Aaron Rhodes

**Name of the Vulnerable Software and Affected Versions** Cisco Common Services Platform Collector (CSPC) (affected versions not specified) **Description** A vulnerability in the web application of Cisco Common Services Platform Collector could allow an authenticated, remote attacker to specify non-log files as sources for syslog reporting. This issue is due to improper restriction of the syslog configuration. An attacker could exploit this by configuring non-log files as sources for syslog reporting through the web application, potentially allowing them to read non-log files on the CSPC. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Common Services Platform Collector (affected versions not specified) **Description** The issue is related to insufficient input validation of uploaded files in the configuration dashboard of Cisco Common Services Platform Collector. This could allow an authenticated, remote attacker to submit a SQL query through the configuration dashboard by uploading a file containing a SQL query. A successful exploit could allow the attacker to read restricted information from the CSPC SQL database. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Common Services Platform Collector (CSPC) (affected versions not specified) **Description** A vulnerability in the web-based management interface could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This is due to insufficient validation of user-supplied input that is processed by the web-based management interface. An attacker could exploit this by adding malicious code to the configuration using the web-based management interface. A successful exploit could allow the attacker to execute arbitrary code in the context of the interface or access sensitive, browser-based information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Common Services Platform Collector (CSPC) (affected versions not specified) **Description** A vulnerability in the configuration dashboard of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to execute arbitrary code. This issue is due to insufficient sanitization of configuration entries. An attacker could exploit this vulnerability by logging in as a super admin and entering crafted input to configuration options on the CSPC configuration dashboard. A successful exploit could allow the attacker to execute remote code as root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.