CVSS: 8.8EPSS: 0%CPEs: 18EXPL: 0CVE-2024-23828 – Nginx-UI authenticated RCE through injecting into the application config via CRLF
https://notcve.org/view.php?id=CVE-2024-23828
Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to an authenticated arbitrary command execution via CRLF attack when changing the value of test_config_cmd or start_cmd. This vulnerability exists due to an incomplete fix for CVE-2024-22197 and CVE-2024-22198. This vulnerability has been patched in version 2.0.0.beta.12. Nginx-UI es una interfaz web para administrar configuraciones de Nginx. • https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-qcjq-7f7v-pvc8 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 0%CPEs: 80EXPL: 0CVE-2024-23827 – Nginx-UI arbitrary file write through the Import Certificate feature
https://notcve.org/view.php?id=CVE-2024-23827
Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue. • https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 1CVE-2024-22198 – Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)
https://notcve.org/view.php?id=CVE-2024-22198
Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The `Home > Preference` page exposes a list of system settings such as `Run Mode`, `Jwt Secret`, `Node Secret` and `Terminal Start Command`. While the UI doesn't allow users to modify the `Terminal Start Command` setting, it is possible to do so by sending a request to the API. This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. • https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/system/settings.go#L18 https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/terminal/pty.go#L11 https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/internal/pty/pipeline.go#L29 https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/router/middleware.go#L45 https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/settings/server.go#L12 https://githu • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.0EPSS: 0%CPEs: 14EXPL: 1CVE-2024-22196 – Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)
https://notcve.org/view.php?id=CVE-2024-22196
Nginx-UI is an online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using `DefaultQuery`, the `"desc"` and `"id"` values are used as default values if the query parameters are not set. Thus, the `order` and `sort_by` query parameter are user-controlled and are being appended to the `order` variable without any sanitization. This issue has been patched in version 2.0.0.beta.9. • https://github.com/0xJacky/nginx-ui/commit/ec93ab05a3ecbb6bcf464d9dca48d74452df8a5b https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h374-mm57-879c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 1CVE-2024-22197 – Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)
https://notcve.org/view.php?id=CVE-2024-22197
Nginx-ui is online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. The `Home > Preference` page exposes a small list of nginx settings such as `Nginx Access Log Path` and `Nginx Error Log Path`. However, the API also exposes `test_config_cmd`, `reload_cmd` and `restart_cmd`. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sending a request to the API. This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure. • https://github.com/0xJacky/nginx-ui/commit/827e76c46e63c52114a62a899f61313039c754e3 https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-pxmr-q2x3-9x9m • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •