GO-2024-2463 SQL injection in github.com/0xJacky/Nginx-UI

SQL injection in github.com/0xJacky/Nginx-UI...

GO-2024-2464 Remote command execution in github.com/0xJacky/Nginx-UI

Remote command execution in github.com/0xJacky/Nginx-UI...

Command Injection

Nginx-ui is vulnerable to Remote Command Injection. The vulnerability is caused due a lack of proper authorization checks in the SaveSettings function. This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure...

SQL Injection

Nginx-UI is vulnerable to SQL Injection . The vulnerability is due to improper validation and sanitization of sortby parameter within the OrderAndPaginate function. An attacker can exploit this issue by injecting malicious sql queries via sortby resulting in sensitive information disclosure...

Arbitrary Command Execution

Nginx-UI is vulnerable to Arbitrary Command Execution. The vulnerability is due to improper handling of startcmd setting. This issue can be exploited by an attacker by modifying startcmd setting to execute arbitrary commands...

CVE-2024-22198

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The Home Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. While the UI doesn't...

CVE-2024-22196

Nginx-UI is an online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using DefaultQuery, the "desc" and "id" values are used as default values if the query parameters are not set. Thu...

Information disclosure

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The Home Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. While the UI doesn't...

Design/Logic Flaw

Nginx-UI is an online statistics for Server Indicators?? Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using DefaultQuery, the "desc" and "id" values are used as default values if the query parameters are not set. Thu...

CVE-2024-22198 Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The Home Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. While the UI doesn't...

CVE-2024-22198 Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The Home Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. While the UI doesn't...

CVE-2024-22198

CVE-2024-22198 affects Nginx-UI, a web interface for Nginx config management. The issue allows authenticated remote code execution by abusing configuration settings; the Home > Preference exposes sensitive settings (Run Mode, Jwt Secret, Node Secret, Terminal Start Command) and can be modified...

CVE-2024-22198 Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The Home Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. While the UI doesn't...

CVE-2024-22196

CVE-2024-22196 affects nginx-ui (Go) where OrderAndPaginate uses user-controlled query parameters (order and sort_by via DefaultQuery) to build SQL order clauses, enabling SQL injection via crafted requests. Multiple connected sources confirm the vulnerability is exploitable through the GET /api/...

CVE-2024-22196 Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)

Nginx-UI is an online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using DefaultQuery, the "desc" and "id" values are used as default values if the query parameters are not set. Thu...

CVE-2024-22196 Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)

Nginx-UI is an online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using DefaultQuery, the "desc" and "id" values are used as default values if the query parameters are not set. Thu...

CVE-2024-22196 Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)

Nginx-UI is an online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using DefaultQuery, the "desc" and "id" values are used as default values if the query parameters are not set. Thu...

Information disclosure

Nginx-ui is online statistics for Server Indicators?? Monitor CPU usage, memory usage, load average, and disk usage in real-time. The Home Preference page exposes a small list of nginx settings such as Nginx Access Log Path and Nginx Error Log Path. However, the API also exposes testconfigcmd,...

CVE-2024-22197 Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)

Nginx-ui is online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. The Home Preference page exposes a small list of nginx settings such as Nginx Access Log Path and Nginx Error Log Path. However, the API also exposes testconfigcmd,...

Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)

Summary Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. Details The Home Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. The...