CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40131 – Cisco Common Services Platform Collector Stored Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2021-40131
A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based management interface. An attacker could exploit this vulnerability by adding malicious code to the configuration by using the web-based management interface. A successful exploit could allow the attacker to execute arbitrary code in the context of the interface or access sensitive, browser-based information. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Common Services Platform Collector (CSPC) podría permitir a un atacante remoto autenticado conducir un ataque de tipo cross-site scripting (XSS) contra un usuario de la interfaz. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-XSS-KjrNbM3p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40130 – Cisco Common Services Platform Collector Improper Logging Restriction Vulnerability
https://notcve.org/view.php?id=CVE-2021-40130
A vulnerability in the web application of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to specify non-log files as sources for syslog reporting. This vulnerability is due to improper restriction of the syslog configuration. An attacker could exploit this vulnerability by configuring non-log files as sources for syslog reporting through the web application. A successful exploit could allow the attacker to read non-log files on the CSPC. Una vulnerabilidad en la aplicación web de Cisco Common Services Platform Collector (CSPC) podría permitir a un atacante remoto y autenticado especificar archivos que no son de registro como fuentes para los informes de syslog. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-ILR-8qmW8y8X • CWE-284: Improper Access Control •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40129 – Cisco Common Services Platform Collector SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-40129
A vulnerability in the configuration dashboard of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to submit a SQL query through the CSPC configuration dashboard. This vulnerability is due to insufficient input validation of uploaded files. An attacker could exploit this vulnerability by uploading a file containing a SQL query to the configuration dashboard. A successful exploit could allow the attacker to read restricted information from the CSPC SQL database. Una vulnerabilidad en el panel de configuración de Cisco Common Services Platform Collector (CSPC) podría permitir a un atacante remoto autenticado enviar una consulta SQL mediante el panel de configuración de CSPC. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-SQLI-unVPTn5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-34774 – Cisco Common Services Platform Collector Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-34774
A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to access sensitive data on an affected system. This vulnerability exists because the application does not sufficiently protect sensitive data when responding to a specific API request. An attacker could exploit the vulnerability by sending a crafted HTTP request to the affected application. A successful exploit could allow the attacker to obtain sensitive information about the users of the application, including security questions and answers. To exploit this vulnerability an attacker would need valid Administrator credentials. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cspc-info-disc-KM3bGVL • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-1538 – Cisco Common Services Platform Collector Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1538
A vulnerability in the configuration dashboard of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to execute arbitrary code. This vulnerability is due to insufficient sanitization of configuration entries. An attacker could exploit this vulnerability by logging in as a super admin and entering crafted input to configuration options on the CSPC configuration dashboard. A successful exploit could allow the attacker to execute remote code as root. Una vulnerabilidad en el panel de configuración de Cisco Common Services Platform Collector (CSPC) podría permitir a un atacante remoto y autenticado ejecutar código arbitrario. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-CIV-kDuBfNfu • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •