Askar

**Name of the Vulnerable Software and Affected Versions** Ubilling version 1.0.9 **Description** The issue allows Remote Command Execution as a Root user. This is achieved by injecting a malicious command inside the config file, which is then triggered by another part of the software. **Recommendations** For Ubilling version 1.0.9, consider restricting access to the config file to prevent malicious command injection until a patch is available. As a temporary workaround, monitor the system for any suspicious activity that may indicate exploitation of this issue.

**Name of the Vulnerable Software and Affected Versions** OCS Inventory NG version 2.7 **Description** The issue allows for Remote Command Execution via shell metacharacters in the `require/commandLine/CommandLine.php` file. This is due to the mishandling of the `mib file` in `plugins/main sections/ms config/ms snmp config.php`, specifically in the `get mib oid` function. **Recommendations** For OCS Inventory NG version 2.7, consider restricting access to the `require/commandLine/CommandLine.php` file and the `get mib oid` function in `plugins/main sections/ms config/ms snmp config.php` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open-AudIT version 3.3.1 **Description** An issue was discovered in Open-AudIT where shell metacharacter injection is possible via attributes to an "open-audit/configuration/" URI. An attacker can exploit this by adding an excluded IP address to the global discovery settings, internally referred to as `exclude ip`. This `exclude ip` value is passed to the `exec` function in the `discoveries helper.php` file, specifically inside the `all ip list` function, without being filtered. As a result, the attacker can provide a payload instead of a valid IP address. **Recommendations** For Open-AudIT version 3.3.1, consider disabling the `all ip list` function in the `discoveries helper.php` file as a temporary workaround until a patch is available. Restrict access to the "open-audit/configuration/" URI to minimize the risk of exploitation. Avoid using the `exclude ip` variable in the global discovery settings until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pandora FMS versions prior to 7.0 NG 742 **Description** The issue allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the `ip src` parameter in an "index.php?operation/netflow/nf live view" request. This is due to a problem in the `netflow get stats` function in `functions netflow.php`. **Recommendations** For versions prior to 7.0 NG 742, update to Pandora FMS 7.0 NG 742 to resolve the issue. As a temporary workaround, consider restricting access to the `netflow get stats` function in `functions netflow.php` to minimize the risk of exploitation. Avoid using the `ip src` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** rConfig version 3.9.2 **Description** An issue allows an attacker to directly execute system commands by sending a GET request to "ajaxServerSettingsChk.php" because the `rootUname` parameter is passed to the `exec` function without filtering, which can lead to command execution. **Recommendations** For rConfig version 3.9.2, as a temporary workaround, consider restricting access to the "ajaxServerSettingsChk.php" endpoint until a patch is available. Avoid using the `rootUname` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** rConfig version 3.9.2 **Description** An issue allows an attacker to directly execute system commands by sending a GET request to "search.crud.php" because the `catCommand` parameter is passed to the `exec` function without filtering, which can lead to command execution. **Recommendations** For rConfig version 3.9.2, as a temporary workaround, consider restricting access to the "search.crud.php" endpoint or filtering the `catCommand` parameter to prevent command execution until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FusionPBX version 4.4.8 **Description** The issue allows an attacker to execute arbitrary system commands. This is achieved by submitting a malicious command to the service edit.php file, which inserts the command into the database. The stored command can be triggered by calling the services.php file via a GET request with the service id followed by the parameter `a=start`. **Recommendations** For FusionPBX version 4.4.8, as a temporary workaround, consider restricting access to the services.php file and the service edit.php file to minimize the risk of exploitation. Avoid using the parameter `a=start` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Centreon versions 18.x through 18.10.5 Centreon versions 19.x through 19.04.2 Centreon web versions prior to 2.8.29 **Description** The issue allows an attacker to execute arbitrary system commands. This is achieved by using the value `init script` in "Monitoring Engine Binary" in `main.get.php` to insert an arbitrary command into the database. The command is then executed by calling the vulnerable page "www/include/configuration/configGenerate/xml/generateFiles.php", which passes the inserted value to the database to `shell exec` without sanitizing it, thus allowing the execution of arbitrary system commands. **Recommendations** For Centreon versions 18.x through 18.10.5, update to version 18.10.6 or later. For Centreon versions 19.x through 19.04.2, update to version 19.04.3 or later. For Centreon web versions prior to 2.8.29, update to version 2.8.29 or later.

Name of the Vulnerable Software and Affected Versions: LibreNMS version 1.46 Description: The issue allows remote attackers to execute arbitrary OS commands. This is achieved by using the `community` parameter in the `html/pages/addhost.inc.php` page during the creation of a new device. Then, by making a request to the `/ajax output.php?id=capture&format=text&type=snmpwalk&hostname=localhost` endpoint, it triggers command mishandling in `html/includes/output/capture.inc.php`. Recommendations: For LibreNMS version 1.46, as a temporary workaround, consider restricting access to the `html/pages/addhost.inc.php` page and the `/ajax output.php` endpoint to minimize the risk of exploitation. Avoid using the `community` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cacti version 1.2.8 **Description** The issue in Cacti's graph realtime.php file is related to the lack of neutralization of special elements, which can be exploited by a remote attacker to execute arbitrary code by sending a specially crafted request. This can be achieved via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. **Recommendations** For Cacti version 1.2.8, consider disabling the graph real-time privilege for guest users until a patch is available. Restrict access to the graph realtime.php file to minimize the risk of exploitation. Avoid using shell metacharacters in cookies for the affected version. At the moment, there is no information about a newer version that contains a fix for this vulnerability.