Design/Logic Flaw

2024-01-1120:15:00

PRIOn knowledge base

www.prio-n.com

nginx-ui

online statistics

server indicators

cpu usage

memory usage

load average

disk usage

defaultquery

information disclosure

order variable

user-controlled

patch

nvd

6.7 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

18.1%

JSON

Nginx-UI is an online statistics for Server Indicators?? Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using DefaultQuery, the "desc" and "id" values are used as default values if the query parameters are not set. Thus, the order and sort_by query parameter are user-controlled and are being appended to the order variable without any sanitization. This issue has been patched in version 2.0.0.beta.9.

CPENameOperatorVersion
nginx_uilt2.0.0
nginx_uieq2.0.0 beta8
nginx_uieq2.0.0 beta7
nginx_uieq2.0.0 beta6
nginx_uieq2.0.0 beta5
nginx_uieq2.0.0 beta4
nginx_uieq2.0.0 beta3
nginx_uieq2.0.0 beta2
nginx_uieq2.0.0 beta1
nginx_uieq2.0.0 beta8-patch

Name	Operator	Version
nginx_ui	lt	2.0.0
nginx_ui	eq	2.0.0 beta8
nginx_ui	eq	2.0.0 beta7
nginx_ui	eq	2.0.0 beta6
nginx_ui	eq	2.0.0 beta5
nginx_ui	eq	2.0.0 beta4
nginx_ui	eq	2.0.0 beta3
nginx_ui	eq	2.0.0 beta2
nginx_ui	eq	2.0.0 beta1
nginx_ui	eq	2.0.0 beta8-patch