Peter Osterberg

**Name of the Vulnerable Software and Affected Versions** op5 Monitor versions prior to 1.6.2 op5 Appliance versions prior to 5.5.3 **Description** The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the `timestamp` parameter for an install action in the license.php file. **Recommendations** For op5 Monitor versions prior to 1.6.2, update to version 1.6.2 or later to resolve the issue. For op5 Appliance versions prior to 5.5.3, update to version 5.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the license.php file to minimize the risk of exploitation. Avoid using the `timestamp` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** op5 Monitor versions prior to 2.0.3 op5 Appliance versions prior to 5.5.3 **Description** The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the `password` parameter. This can be exploited in the op5config/welcome in system-op5config. **Recommendations** For op5 Monitor versions prior to 2.0.3, update to version 2.0.3 or later to resolve the issue. For op5 Appliance versions prior to 5.5.3, update to version 5.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `password` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** op5 Monitor and op5 Appliance versions prior to 5.5.1 **Description** The issue allows remote authenticated users to obtain sensitive information, such as database and user credentials, via error messages triggered by specific actions. This can be achieved by either providing a malformed `hoststatustypes` parameter to the "status/service/all" endpoint or by sending a crafted request to "config". **Recommendations** For versions prior to 5.5.1, update to version 5.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "status/service/all" endpoint and the "config" section to minimize the risk of exploitation. Avoid using the `hoststatustypes` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** op5 Monitor and op5 Appliance versions prior to 5.5.0 **Description** The issue is related to improper management of session cookies, which could allow remote attackers to have an unspecified impact. The exact vectors of the attack are not specified. **Recommendations** For versions prior to 5.5.0, update to version 5.5.0 or later to resolve the issue.