Cisco Secure Access Control System (ACS) prior to version 5.5 patch 8 is vulnerable to a SQL injection
attack in the ACS View reporting interface pages. A
successful attack could allow an authenticated, remote attacker to access and modify information such as RADIUS accounting records stored in one of the ACS View databases or to access information in the underlying file system. A previous version of this advisory indicated that a product running version 5.5 patch 7 was not vulnerable; however, customers running version 5.5 patch 7 should upgrade to patch 8 to completely mitigate the vulnerability described in this advisory.
Cisco has released free software updates that address this vulnerability.
This advisory is available at the following link: