The vulnerability of the Nikto web application security scanner lies in the lack of mechanisms to neutralize special elements in the input commands of the operating system. This allows attackers to execute arbitrary commands on the operating system.

🗓️ 27 Jul 2018 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru

Nikto lacks input sanitization, enabling OS command execution via HTTP server during CSV generation.

Reporter	Title	Published	Views	Family All 28
0day.today	Nikto 2.1.6 - CSV Injection Vulnerability	18 Jun 201800:00	–	zdt
AlpineLinux	CVE-2018-11652	1 Jun 201815:00	–	alpinelinux
CNVD	Nikto CSV Injection Vulnerability (CNVD-2018-16264)	28 Jun 201800:00	–	cnvd
Check Point Advisories	Nikto CSV Injection Remote Code Execution (CVE-2018-11652)	20 Jun 201800:00	–	checkpoint_advisories
CVE	CVE-2018-11652	1 Jun 201815:00	–	cve
Cvelist	CVE-2018-11652	1 Jun 201815:00	–	cvelist
Debian CVE	CVE-2018-11652	1 Jun 201815:00	–	debiancve
Exploit DB	Nikto 2.1.6 - CSV Injection	18 Jun 201800:00	–	exploitdb
exploitpack	Nikto 2.1.6 - CSV Injection	18 Jun 201800:00	–	exploitpack
Fedora	[SECURITY] Fedora 28 Update: nikto-2.1.6-1.fc28	20 Jun 201801:55	–	fedora

Vulners

Node

chris_sullo,_david_lodge niktoRange≤2.1.6

Source	Link
github	www.github.com/sullo/nikto/commit/e759b3300aace5314fe3d30800c8bd83c81c29f7
exploit-db	www.exploit-db.com/exploits/44899/
web	www.web.nvd.nist.gov/view/vuln/detail
exploit-db	www.exploit-db.com/exploits/44899/

23 Mar 2021 00:00Current

6Medium risk

Vulners AI Score6

CVSS 39.8

CVSS 210

EPSS0.33586

input sanitization operating system command execution http server csv generation