CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2015-8010
https://notcve.org/view.php?id=CVE-2015-8010
Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the query string to cgi-bin/status.cgi. Vulnerabilidad de XSS en el Classic-UI con el enlace de exportación CSV y la funcionalidad de paginación en Icinga en versiones anteriores a 1.14 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la cadena de consulta a cgi-bin/status.cgi. • http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00019.html http://www.openwall.com/lists/oss-security/2015/10/23/15 http://www.openwall.com/lists/oss-security/2015/10/29/15 http://www.securityfocus.com/bid/97145 https://github.com/Icinga/icinga-core/issues/1563 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 1%CPEs: 5EXPL: 0CVE-2014-2386
https://notcve.org/view.php?id=CVE-2014-2386
Multiple off-by-one errors in Icinga, possibly 1.10.2 and earlier, allow remote attackers to cause a denial of service (crash) via unspecified vectors to the (1) display_nav_table, (2) print_export_link, (3) page_num_selector, or (4) page_limit_selector function in cgi/cgiutils.c or (5) status_page_num_selector function in cgi/status.c, which triggers a stack-based buffer overflow. Múltiples errores de superación de límite (off-by-one) en Icinga, posiblemente 1.10.2 y anteriores, permiten a atacantes remotos causar una denegación de servicio (caída) a través de vectores no especificados hacia la función (1) display_nav_table, (2) print_export_link, (3) page_num_selector o (4) page_limit_selector en cgi/cgiutils.c or la función (5) status_page_num_selector en cgi/status.c, lo que provoca un desbordamiento de buffer basado en pila. • http://comments.gmane.org/gmane.comp.security.oss.general/12355 http://lists.opensuse.org/opensuse-updates/2014-03/msg00072.html https://dev.icinga.org/issues/5663 https://git.icinga.org/?p=icinga-core.git%3Ba=commitdiff%3Bh=73285093b71a5551abdaab0a042d3d6bae093b0d • CWE-189: Numeric Errors •
CVSS: 5.0EPSS: 4%CPEs: 20EXPL: 0CVE-2014-1878
https://notcve.org/view.php?id=CVE-2014-1878
Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi. Desbordamiento de buffer basado en pila en la función cmd_submitf en cgi/cmd.c en Nagios Core, posiblemente 4.0.3rc1 y anteriores e Icinga anterior a 1.8.6, 1.9 anterior a 1.9.5 y 1.10 anterior a 1.10.3 permite a atacantes remotos causar una denegación de servicio (fallo de segmentación) a través de un mensaje largo hacia cmd.cgi. • http://lists.opensuse.org/opensuse-updates/2014-04/msg00033.html http://secunia.com/advisories/57024 http://www.securityfocus.com/bid/65605 https://bugzilla.redhat.com/show_bug.cgi?id=1066578 https://dev.icinga.org/issues/5434 https://lists.debian.org/debian-lts-announce/2018/12/msg00014.html https://www.icinga.org/2014/02/11/bugfix-releases-1-10-3-1-9-5-1-8-6 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.5EPSS: 1%CPEs: 35EXPL: 0CVE-2013-7106
https://notcve.org/view.php?id=CVE-2013-7106
Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long string to the (1) display_nav_table, (2) page_limit_selector, (3) print_export_link, or (4) page_num_selector function in cgi/cgiutils.c; (5) status_page_num_selector function in cgi/status.c; or (6) display_command_expansion function in cgi/config.c. NOTE: this can be exploited without authentication by leveraging CVE-2013-7107. Múltiples desbordamientos de buffer basados en pila en Icinga anteriores a 1.8.5, 1.9 anteriores a 1.9.4, y 1.10 anteriores a 1.10.2 permite a atacantes autenticados remotamente causar denegación de servicio (caída) y posiblemente ejecutar código arbitrario a través de una cadena larga a las funciones en cgi/cgiutils.c (1) display_nav_table, (2) page_limit_selector, (3) print_export_link, o (4) page_num_selector; (5) la función status_page_num_selector en cgi/status.c; o (6) la función display_command_expansion en cgi/config.c. NOTA: este problema puede ser explotado sin autenticación aprovechando la vulnerabilidad CVE-2013-7107. • http://www.openwall.com/lists/oss-security/2013/12/16/4 https://dev.icinga.org/issues/5250 https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.8EPSS: 0%CPEs: 38EXPL: 0CVE-2013-7107
https://notcve.org/view.php?id=CVE-2013-7107
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in Icinga 1.8.5, 1.9.4, 1.10.2, and earlier allows remote attackers to hijack the authentication of users for unspecified commands via unspecified vectors, as demonstrated by bypassing authentication requirements for CVE-2013-7106. Vulnerabilidad de cross-site request forgery (CSRF) en cmd.cgi en Icinga 1.8.5, 1.9.4, 1.10.2 y anteriores, permite a atacantes secuestrar la autenticación de usuarios en comandos no especificados a través de vectores no especificados, como se muestra sorteando requisitos de autenticación para el CVE-2013-7106. • http://lists.opensuse.org/opensuse-updates/2014-02/msg00061.html http://www.openwall.com/lists/oss-security/2013/12/16/4 https://dev.icinga.org/issues/5250 https://dev.icinga.org/issues/5346 https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5 • CWE-352: Cross-Site Request Forgery (CSRF) •