CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16834
https://notcve.org/view.php?id=CVE-2017-16834
PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an unprivileged account but root code execution depends on these files, which allows local users to gain privileges by leveraging access to this unprivileged account. En PNP4Nagios hasta la versión 0.6.26, /usr/bin/npcd y npcd.cfg son propiedad de una cuenta sin privilegios, pero la ejecución de código root depende de estos archivos. Esto permite que usuarios locales obtengan privilegios aprovechando el acceso a esta cuenta sin privilegios. • https://github.com/lingej/pnp4nagios/issues/140 https://security.gentoo.org/glsa/201806-09 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.3EPSS: 0%CPEs: 21EXPL: 1CVE-2014-4907
https://notcve.org/view.php?id=CVE-2014-4907
Cross-site scripting (XSS) vulnerability in share/pnp/application/views/kohana_error_page.php in PNP4Nagios before 0.6.22 allows remote attackers to inject arbitrary web script or HTML via a parameter that is not properly handled in an error message. Vulnerabildad de XSS en share/pnp/application/views/kohana_error_page.php en PNP4Nagios anterior a 0.6.22 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un parámetro que no se maneja debidamente en un mensaje de error. • http://docs.pnp4nagios.org/pnp-0.6/dwnld http://openwall.com/lists/oss-security/2014/07/11/3 http://secunia.com/advisories/59535 http://secunia.com/advisories/59603 http://sourceforge.net/p/pnp4nagios/code/ci/f846a6c9d007ca2bee05359af747619151195fc9 http://www.op5.com/blog/news/op5-monitor-6-3-1-release-notes http://www.securityfocus.com/bid/68350 https://bugs.op5.com/view.php?id=8761 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 20EXPL: 2CVE-2014-4908
https://notcve.org/view.php?id=CVE-2014-4908
Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through 0.6.22 allow remote attackers to inject arbitrary web script or HTML via the URI used for reaching (1) share/pnp/application/views/kohana_error_page.php or (2) share/pnp/application/views/template.php, leading to improper handling within an http-equiv="refresh" META element. Múltiples vulnerabilidades de XSS en PNP4Nagios hasta 0.6.22 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la URI que se utiliza para alcanzar (1) share/pnp/application/views/kohana_error_page.php o (2) share/pnp/application/views/template.php, que conduce a un manejo indebido dentro de un elemento http-equiv='refresh' META. • http://openwall.com/lists/oss-security/2014/07/11/3 http://secunia.com/advisories/58973 http://www.securityfocus.com/bid/68352 https://github.com/lingej/pnp4nagios/commit/cb925073edeeb97eb4ce61a86cdafccc9b87f9bb https://github.com/lingej/pnp4nagios/commit/e4a19768a5c5e5b1276caf3dd5bb721a540ec014 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.1EPSS: 0%CPEs: 15EXPL: 0CVE-2012-3457
https://notcve.org/view.php?id=CVE-2012-3457
PNP4Nagios 0.6 through 0.6.16 uses world-readable permissions for process_perfdata.cfg, which allows local users to obtain the Gearman shared secret by reading the file. PNP4Nagios de v0.6 hasta v0.6.16 utiliza permisos de lectura para process_perfdata.cfg, el cual podría permitir a usuarios locales obtener la clave compartida Gearman mediante la lectura del fichero. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683879 http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086161.html http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086387.html http://www.openwall.com/lists/oss-security/2012/08/06/7 http://www.openwall.com/lists/oss-security/2012/08/06/8 http://www.securityfocus.com/bid/54863 • CWE-264: Permissions, Privileges, and Access Controls •