CVE-2018-16146
Last modified
CVE-2018-16146 is a vulnerability of currently unknown severity. The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account.. EPSS estimates a 6.20% chance of exploitation in the next 30 days.
Description
The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Opsview | Opsview | >= 5.4.0, < 5.4.2 |
References
- https://knowledge.opsview.com/v5.4/docs/whats-newVendor Advisory
- https://seclists.org/fulldisclosure/2018/Sep/3Exploit, Mailing List, Third Party Advisory
- https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilitiesExploit, Third Party Advisory
- https://knowledge.opsview.com/v5.4/docs/whats-newVendor Advisory
- https://seclists.org/fulldisclosure/2018/Sep/3Exploit, Mailing List, Third Party Advisory
- https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilitiesExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-16146?
How severe is CVE-2018-16146?
How do I fix CVE-2018-16146?
Are you affected by CVE-2018-16146?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST