CVSS: 10.0EPSS: 88%CPEs: 6EXPL: 2CVE-2012-0262 – OP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 - 'welcome' Remote Command Execution
https://notcve.org/view.php?id=CVE-2012-0262
op5config/welcome in system-op5config before 2.0.3 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the password parameter. op5config/welcome en el sistema-op5config anterior a 2.0.3 en el Monitor y Appliance de op5 antes de 5.5.3 permite a atacantes remotos ejecutar comandos arbitrarios mediante metacaracteres de shell en el parámetro de contraseña. OP5 suffers from poor session management, credential leakage and multiple remote root command execution vulnerabilities. • https://www.exploit-db.com/exploits/41687 http://seclists.org/fulldisclosure/2012/Jan/62 http://secunia.com/advisories/47417 http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance http://www.osvdb.org/78065 https://bugs.op5.com/view.php?id=5094 http://web.archive.org/web/20120114164329/http://secunia.com:80/advisories/47417 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.0EPSS: 0%CPEs: 4EXPL: 1CVE-2012-0263 – OP5 Command Execution / Information Disclosure
https://notcve.org/view.php?id=CVE-2012-0263
monitor/index.php in op5 Monitor and op5 Appliance before 5.5.1 allows remote authenticated users to obtain sensitive information such as database and user credentials via error messages that are triggered by (1) a malformed hoststatustypes parameter to status/service/all or (2) a crafted request to config. monitor / index.php en el Monitor y Appliance de op5 anteriores a 5.5.1 permite a usuarios remotos autenticados obtener información confidencial, como bases de datos y las credenciales del usuario a través de los mensajes de error que se desencadenan por (1) un parámetro hoststatustypes malformado en estado/servicio/ todos o (2) una solicitud manipulada en las configuraciones. OP5 suffers from poor session management, credential leakage and multiple remote root command execution vulnerabilities. • http://seclists.org/fulldisclosure/2012/Jan/62 http://secunia.com/advisories/47344 http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance http://www.osvdb.org/78067 https://bugs.op5.com/view.php?id=5094 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 4%CPEs: 65EXPL: 0CVE-2008-5027
https://notcve.org/view.php?id=CVE-2008-5027
The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote authenticated users to bypass authorization checks, and trigger execution of arbitrary programs by this process, via an (a) custom form or a (b) browser addon. El proceso Nagios en (1) Nagios anterior a v3.0.5 y (2) op5 Monitor anterior a v4.0.1 ; permite a usuarios autenticados en remoto evitar las comprobaciones de autorización y provocar la ejecución de ficheros de su elección por este proceso a través de (a) un formulario personalizado o (b) un complemento para el navegador. • http://marc.info/?l=bugtraq&m=124156641928637&w=2 http://secunia.com/advisories/33320 http://secunia.com/advisories/35002 http://security.gentoo.org/glsa/glsa-200907-15.xml http://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se&forum_name=nagios-devel http://www.nagios.org/development/history/nagios-3x.php http://www.op5.com/support/news/389-important-security-fix-available-for-op5-monitor http://www.openwall.com/lists/oss-security/2008/11/06/2 http&# • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 2%CPEs: 65EXPL: 0CVE-2008-5028
https://notcve.org/view.php?id=CVE-2008-5028
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send commands to the Nagios process, and trigger execution of arbitrary programs by this process, via unspecified HTTP requests. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en cmd.cgi en (1) Nagios 3.0.5 y (2) op5 Monitor antes de v4.0.1 permite a atacantes remotos enviar comandos al proceso Nagios y dispara la ejecución de programas de su elección por este proceso, mediante peticiones HTTP no especificadas. • http://git.op5.org/git/?p=nagios.git%3Ba=commit%3Bh=814d8d4d1a73f7151eeed187c0667585d79fea18 http://marc.info/?l=bugtraq&m=124156641928637&w=2 http://osvdb.org/49678 http://secunia.com/advisories/32610 http://secunia.com/advisories/32630 http://secunia.com/advisories/33320 http://secunia.com/advisories/35002 http://security.gentoo.org/glsa/glsa-200907-15.xml http://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se&forum_name=nagios-devel http://www.op5.c • CWE-352: Cross-Site Request Forgery (CSRF) •