CVE-2008-5027
https://notcve.org/view.php?id=CVE-2008-5027
The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote authenticated users to bypass authorization checks, and trigger execution of arbitrary programs by this process, via an (a) custom form or a (b) browser addon. El proceso Nagios en (1) Nagios anterior a v3.0.5 y (2) op5 Monitor anterior a v4.0.1 ; permite a usuarios autenticados en remoto evitar las comprobaciones de autorización y provocar la ejecución de ficheros de su elección por este proceso a través de (a) un formulario personalizado o (b) un complemento para el navegador. • http://marc.info/?l=bugtraq&m=124156641928637&w=2 http://secunia.com/advisories/33320 http://secunia.com/advisories/35002 http://security.gentoo.org/glsa/glsa-200907-15.xml http://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se&forum_name=nagios-devel http://www.nagios.org/development/history/nagios-3x.php http://www.op5.com/support/news/389-important-security-fix-available-for-op5-monitor http://www.openwall.com/lists/oss-security/2008/11/06/2 http • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2008-5028
https://notcve.org/view.php?id=CVE-2008-5028
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send commands to the Nagios process, and trigger execution of arbitrary programs by this process, via unspecified HTTP requests. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en cmd.cgi en (1) Nagios 3.0.5 y (2) op5 Monitor antes de v4.0.1 permite a atacantes remotos enviar comandos al proceso Nagios y dispara la ejecución de programas de su elección por este proceso, mediante peticiones HTTP no especificadas. • http://git.op5.org/git/?p=nagios.git%3Ba=commit%3Bh=814d8d4d1a73f7151eeed187c0667585d79fea18 http://marc.info/?l=bugtraq&m=124156641928637&w=2 http://osvdb.org/49678 http://secunia.com/advisories/32610 http://secunia.com/advisories/32630 http://secunia.com/advisories/33320 http://secunia.com/advisories/35002 http://security.gentoo.org/glsa/glsa-200907-15.xml http://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se&forum_name=nagios-devel http://www.op5.c • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-4796 – Feed2JS File Disclosure
https://notcve.org/view.php?id=CVE-2008-4796
The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs. La función _httpsrequest function (Snoopy/Snoopy.class.php) en Snoopy 1.2.3 y versiones anteriores, cuando es usada en (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost y posiblemente otros productos, permite a atacantes remotos ejecutar comandos arbitrarios a través de metacarácteres shell en URLs https. Feed2JS uses MagpieRSS for parsing the feeds, and MagpieRSS uses Snoopy library for fetching the documents. The version of Snoopy in use suffers from a local file disclosure vulnerability. • http://jvn.jp/en/jp/JVN20502807/index.html http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000074.html http://secunia.com/advisories/32361 http://sourceforge.net/forum/forum.php?forum_id=879959 http://www.debian.org/security/2008/dsa-1691 http://www.debian.org/security/2009/dsa-1871 http://www.openwall.com/lists/oss-security/2008/11/01/1 http://www.securityfocus.com/archive/1/496068/100/0/threaded http://www.securityfocus.com/bid/31887 http://www.vupen • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2007-5803
https://notcve.org/view.php?id=CVE-2007-5803
Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in Nagios before 2.12 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-5624 and CVE-2008-1360. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en programas CGI en Nagios versiones anteriores a 2.12, podrían permitir a atacantes remotos inyectar script web o HTML arbitrario por medio de vectores no especificados, un problema diferente de CVE-2007-5624 y CVE-2008-1360. • http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html http://secunia.com/advisories/30202 http://secunia.com/advisories/30283 http://sourceforge.net/project/shownotes.php?release_id=600377 http://sourceforge.net/project/shownotes.php?release_id=600377&group_id=26589 http://www.securityfocus.com/bid/29140 http://www.vupen.com/english/advisories/2008/1567/references https://exchange.xforce.ibmcloud.com/vulnerabilities/42522 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-1360
https://notcve.org/view.php?id=CVE-2008-1360
Cross-site scripting (XSS) vulnerability in Nagios before 2.11 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts, a different issue than CVE-2007-5624. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en Nagios versiones anteriores a la 2.11, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante vectores desconocidos a secuencias de comandos CGI, un problema diferente al de la CVE-2007-5624. • http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html http://secunia.com/advisories/29363 http://www.mandriva.com/security/advisories?name=MDVSA-2008:067 http://www.nagios.org/development/changelog.php#2x_branch http://www.securityfocus.com/bid/28250 http://www.vupen.com/english/advisories/2008/0900/references https://exchange.xforce.ibmcloud.com/vulnerabilities/41210 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •