CVE-2016-2057 – Xymon 4.3.x Buffer Overflow / Code Execution / Information Disclosure
https://notcve.org/view.php?id=CVE-2016-2057
lib/xymond_ipc.c in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 use weak permissions (666) for an unspecified IPC message queue, which allows local users to inject arbitrary messages by writing to that queue. lib/xymond_ipc.c en Xymon 4.1.x, 4.2.x y 4.3.x en versiones anteriores a 4.3.25 utiliza permisos débiles (666) para una cola de mensajes IPC no especificada, lo que permite a usuarios locales inyectar mensajes arbitrarios escribiendo en esa cola. Xymon 4.3.x versions suffers from buffer overflow, information disclosure, code execution, cross site scripting, and various other vulnerabilities. • http://packetstormsecurity.com/files/135758/Xymon-4.3.x-Buffer-Overflow-Code-Execution-Information-Disclosure.html http://www.debian.org/security/2016/dsa-3495 http://www.securityfocus.com/archive/1/537522/100/0/threaded https://sourceforge.net/p/xymon/code/7891 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2016-2055 – Xymon Daemon Gather Information
https://notcve.org/view.php?id=CVE-2016-2055
xymond/xymond.c in xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote attackers to read arbitrary files in the configuration directory via a "config" command. xymond/xymond.c en xymond en Xymon 4.1.x, 4.2.x y 4.3.x en versiones anteriores a 4.3.25 permite a atacantes remotos leer archivos arbitrarios en el directorio de configuración a través de un comando "config". Xymon 4.3.x versions suffers from buffer overflow, information disclosure, code execution, cross site scripting, and various other vulnerabilities. • http://packetstormsecurity.com/files/135758/Xymon-4.3.x-Buffer-Overflow-Code-Execution-Information-Disclosure.html http://www.debian.org/security/2016/dsa-3495 http://www.securityfocus.com/archive/1/537522/100/0/threaded https://sourceforge.net/p/xymon/code/7890 https://lists.xymon.com/pipermail/xymon/2016-February/042986.html https://xymon.sourceforge.net https://en.wikipedia.org/wiki/Xymon https://en.wikipedia.org/wiki/Big_Brother_(software) • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-2058 – Xymon 4.3.x Buffer Overflow / Code Execution / Information Disclosure
https://notcve.org/view.php?id=CVE-2016-2058
Multiple cross-site scripting (XSS) vulnerabilities in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow (1) remote Xymon clients to inject arbitrary web script or HTML via a status-message, which is not properly handled in the "detailed status" page, or (2) remote authenticated users to inject arbitrary web script or HTML via an acknowledgement message, which is not properly handled in the "status" page. Múltiples vulnerabilidades de XSS en Xymon 4.1.x, 4.2.x y 4.3.x en versiones anteriores a 4.3.25 permiten a (1) clientes remotos Xymon inyectar secuencias de comandos web o HTML arbitrarios a través de un mensaje de estado, que no se maneja correctamente en la página "detailed status", o (2) usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un mensaje de reconocimiento, que no se maneja correctamente en la página "status". Xymon 4.3.x versions suffers from buffer overflow, information disclosure, code execution, cross site scripting, and various other vulnerabilities. • http://packetstormsecurity.com/files/135758/Xymon-4.3.x-Buffer-Overflow-Code-Execution-Information-Disclosure.html http://www.debian.org/security/2016/dsa-3495 http://www.securityfocus.com/archive/1/537522/100/0/threaded https://sourceforge.net/p/xymon/code/7892 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-2056 – Xymon 4.3.25 - useradm Command Execution
https://notcve.org/view.php?id=CVE-2016-2056
xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the adduser_name argument in (1) web/useradm.c or (2) web/chpasswd.c. xymond en Xymon 4.1.x, 4.2.x y 4.3.x en versiones anteriores a 4.3.25 permite a usuarios remotos autenticados ejecutar comandos arbitrarios a través de metacaracteres shell en el argumento adduser_name en (1) web/useradm.c o (2) web/chpasswd.c. Xymon 4.3.x versions suffers from buffer overflow, information disclosure, code execution, cross site scripting, and various other vulnerabilities. • https://www.exploit-db.com/exploits/47114 http://packetstormsecurity.com/files/135758/Xymon-4.3.x-Buffer-Overflow-Code-Execution-Information-Disclosure.html http://packetstormsecurity.com/files/153620/Xymon-useradm-Command-Execution.html http://www.debian.org/security/2016/dsa-3495 http://www.securityfocus.com/archive/1/537522/100/0/threaded https://sourceforge.net/p/xymon/code/7892 https://lists.xymon.com/pipermail/xymon/2016-February/042986.html https://www.securityfocus.com/archive/1/5375 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2013-4173
https://notcve.org/view.php?id=CVE-2013-4173
Directory traversal vulnerability in the trend-data daemon (xymond_rrd) in Xymon 4.x before 4.3.12 allows remote attackers to delete arbitrary files via a .. (dot dot) in the host name in a "drophost" command. Vulnerabilidad de salto de directorio en el demonio trend-data (xymond_rrd) en Xymon 4.x anterior a la versión 4.3.12 permite a atacantes remotos eliminar archivos arbitrarios a través de .. (punto punto) en el nombre del host en un comando "drophost". • http://sourceforge.net/projects/xymon/files/Xymon/4.3.12 http://www.mandriva.com/security/advisories?name=MDVSA-2013:213 http://www.openwall.com/lists/oss-security/2013/07/27/3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •