CVE-2018-16146 Information

Description

The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized leading to arbitrary command injection with the privileges of the nagios user account.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Reference

https://knowledge.opsview.com/v5.4/docs/whats-new https://seclists.org/fulldisclosure/2018/Sep/3 https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.2