CVE-2012-6096 – Nagios3 - 'history.cgi' Host Command Execution
https://notcve.org/view.php?id=CVE-2012-6096
Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable. Múltiples desbordamientos de búfer basado en pila en la función get_history en history.cgi en Nagios core anterior a v3.4.4, y Icinga v1.6.x anterior a v1.6.2, v1.7.x anterior a v1.7.4, y v1.8.x anterior a v1.8.4, permite a atacantes remotos ejecutar código de su elección a través de una variable (1) host_name de gran longitud o (2) de la variable svc_description. Nagios version 3.x suffers from a remote command execution vulnerability in history.cgi. • https://www.exploit-db.com/exploits/24159 https://www.exploit-db.com/exploits/24084 http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html http://lists.opensuse.org/opensuse-updates/2013-01/msg00033.html http://lists.opensuse.org/opensuse-updates/2013-01/msg00060.html http://lists.opensuse.org/opensuse-updates/2013-01/msg00077.html http://lists.opensuse.org/opensuse-updates/2013-01/msg00088.html http://secunia.com/advisories/51863 http://www.debian.org/security • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2011-2179 – Nagios 3.2.3 - 'expand' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-2179
Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en config.c en config.cgi en (1) Nagios v3.2.3 y (2) Icinga antes de v1.4.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro expand, como se demuestra por (a) la acción command o (b) una acción hosts. • https://www.exploit-db.com/exploits/35818 http://archives.neohapsis.com/archives/bugtraq/2011-06/0017.html http://archives.neohapsis.com/archives/bugtraq/2011-06/0018.html http://secunia.com/advisories/44974 http://securityreason.com/securityalert/8274 http://tracker.nagios.org/view.php?id=224 http://www.openwall.com/lists/oss-security/2011/06/01/10 http://www.openwall.com/lists/oss-security/2011/06/02/6 http://www.rul3z.de/advisories/SSCHADV2011-005.txt http://w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-1523
https://notcve.org/view.php?id=CVE-2011-1523
Cross-site scripting (XSS) vulnerability in statusmap.c in statusmap.cgi in Nagios 3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the layer parameter. vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en statusmap.c en statusmap.cgi en Nagios v3.2.3 y anteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro de la capa. • http://openwall.com/lists/oss-security/2011/03/25/3 http://openwall.com/lists/oss-security/2011/03/28/4 http://secunia.com/advisories/43287 http://secunia.com/advisories/44974 http://securityreason.com/securityalert/8241 http://tracker.nagios.org/view.php?id=207 http://www.rul3z.de/advisories/SSCHADV2011-002.txt http://www.ubuntu.com/usn/USN-1151-1 https://bugzilla.redhat.com/show_bug.cgi?id=690877 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-2288 – Nagios 3.0.6 - 'statuswml.cgi' Arbitrary Shell Command Injection
https://notcve.org/view.php?id=CVE-2009-2288
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters. statuswml.cgi en Nagios v3.1.1, permite a atacantes remotos ejecutar comandos de su elección a través de metacaracteres de consola en los parámetros (1) ping o (2) Traceroute. • https://www.exploit-db.com/exploits/33051 https://www.exploit-db.com/exploits/16908 https://www.exploit-db.com/exploits/9861 http://marc.info/?l=bugtraq&m=126996888626964&w=2 http://secunia.com/advisories/35543 http://secunia.com/advisories/35688 http://secunia.com/advisories/35692 http://secunia.com/advisories/39227 http://security.gentoo.org/glsa/glsa-200907-15.xml http://tracker.nagios.org/view.php?id=15 http://www.debian.org/security/2009/dsa-1825 http: • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2008-6373
https://notcve.org/view.php?id=CVE-2008-6373
Unspecified vulnerability in Nagios before 3.0.6 has unspecified impact and remote attack vectors related to CGI programs, "adaptive external commands," and "writing newlines and submitting service comments." Vulnerabilidad no especificada en Nagios versiones anteriores a v3.0.6 tiene un impacto no especificado y vectores de ataque remoto relacionados con los programas CGI, "comandos de adaptación externa", e "introducción de nuevas líneas y envío de comentarios de servicio". • http://marc.info/?l=bugtraq&m=124156641928637&w=2 http://secunia.com/advisories/32909 http://secunia.com/advisories/35002 http://security.gentoo.org/glsa/glsa-200907-15.xml http://www.nagios.org/development/history/nagios-3x.php http://www.nagios.org/news/#88 http://www.securityfocus.com/bid/32611 http://www.securitytracker.com/id?1022165 http://www.vupen.com/english/advisories/2009/1256 https://exchange.xforce.ibmcloud.com/vulnerabilities/47081 • CWE-94: Improper Control of Generation of Code ('Code Injection') •