Fernando Catoira

Researcher fromCore Security Consulting Services
#6689of 53,635
40.5Total CVSS
Vulnerabilities · 5
Medium
2
High
2
Critical
1
PT-2018-13423
9.3
2018-09-05
Opsview · Opsview Monitor · CVE-2018-16145
**Name of the Vulnerable Software and Affected Versions** Opsview Monitor versions prior to 5.3.1 Opsview Monitor versions 5.4.x prior to 5.4.2 **Description** The issue concerns the /etc/init.d/opsview-reporting-module script, which runs at boot time and invokes a file editable by the nagios user. This allows attackers to elevate their privileges to root after a system restart, giving them full control of the appliance. **Recommendations** For Opsview Monitor versions prior to 5.3.1, update to version 5.3.1 or later. For Opsview Monitor versions 5.4.x prior to 5.4.2, update to version 5.4.2 or later.
PT-2018-13424
9.0
2018-09-05
Opsview · Opsview Monitor · CVE-2018-16146
**Name of the Vulnerable Software and Affected Versions** Opsview Monitor versions 5.4.x through 5.4.1 **Description** The issue affects the web management console, where an authenticated administrator can exploit a command injection flaw due to improper sanitization of the `value` parameter. This allows for arbitrary command execution with the privileges of the nagios user account. **Recommendations** For Opsview Monitor versions 5.4.x through 5.4.1, update to version 5.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the web management console to minimize the risk of exploitation. Avoid using the `value` parameter in the affected functionality until the issue is resolved.
PT-2018-13425
6.1
2018-09-05
Opsview · Opsview Monitor · CVE-2018-16147
**Name of the Vulnerable Software and Affected Versions** Opsview Monitor versions prior to 5.3.1 Opsview Monitor versions 5.4.x prior to 5.4.2 **Description** The issue concerns the `/settings/api/router` endpoint, where the `data` parameter is vulnerable to Cross-Site Scripting. **Recommendations** For versions prior to 5.3.1, update to version 5.3.1 or later. For versions 5.4.x prior to 5.4.2, update to version 5.4.2 or later.
PT-2018-13426
6.1
2018-09-05
Opsview · Opsview Monitor · CVE-2018-16148
**Name of the Vulnerable Software and Affected Versions** Opsview Monitor versions prior to 5.3.1 Opsview Monitor versions 5.4.x prior to 5.4.2 **Description** The issue concerns the `diagnosticsb2ksy` parameter of the "/rest" endpoint, which is susceptible to Cross-Site Scripting. **Recommendations** For versions prior to 5.3.1, update to version 5.3.1 or later. For versions 5.4.x prior to 5.4.2, update to version 5.4.2 or later.
PT-2018-12498
10
2018-08-03
Softnas · Softnas Cloud · CVE-2018-14417
**Name of the Vulnerable Software and Affected Versions** SoftNAS Cloud versions prior to 4.0.3 **Description** A command injection issue was discovered in the web administration console. Specifically, the `snserv` script failed to sanitize the `recentVersion` parameter from the "snserv endpoint", allowing an unauthenticated attacker to execute arbitrary commands with root permissions. **Recommendations** For versions prior to 4.0.3, update to version 4.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `snserv` script and the "snserv endpoint" to minimize the risk of exploitation. Avoid using the `recentVersion` parameter in the affected endpoint until the issue is resolved.