135 matches found
CVE-2020-10791
app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3 allows remote authenticated users to trigger outbound TCP requests aka SSRF via the Test Connection feature aka testGrafanaConnection of the Grafana Module...
Design/Logic Flaw
openITCOCKPIT before 3.7.3 has a web-based terminal that allows attackers to execute arbitrary OS commands via shell metacharacters that are mishandled on an su command line in app/Lib/SudoMessageInterface.php...
Default credentials
openITCOCKPIT before 3.7.3 has unnecessary files such as Lodash files under the web root, which leads to XSS...
Design/Logic Flaw
app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3 allows remote authenticated users to trigger outbound TCP requests aka SSRF via the Test Connection feature aka testGrafanaConnection of the Grafana Module...
CVE-2020-10788
CVE-2020-10788 affects openITCOCKPIT version prior to 3.7.3, where WebSocket connections use a fixed API key (1fea123e07f730f76e661bced33a94152378611e) instead of generating random keys. Root cause is the use of a static API key for WebSocket authentication, enabling potential unauthorized access...
CVE-2020-10788
openITCOCKPIT before 3.7.3 uses the 1fea123e07f730f76e661bced33a94152378611e API key rather than generating a random API Key for WebSocket connections...
CVE-2020-10789
openITCOCKPIT before 3.7.3 has a web-based terminal that allows attackers to execute arbitrary OS commands via shell metacharacters that are mishandled on an su command line in app/Lib/SudoMessageInterface.php...
CVE-2020-10789
OpenITCOCKPIT prior to version 3.7.3 exposes a web-based terminal that can execute arbitrary OS commands due to mishandling of shell metacharacters in the su path (app/Lib/SudoMessageInterface.php). Affected product/component: OpenITCOCKPIT web UI; root cause: improper handling of shell metachara...
CVE-2020-10790
openITCOCKPIT before 3.7.3 has unnecessary files such as Lodash files under the web root, which leads to XSS...
CVE-2020-10790
CVE-2020-10790 affects openITCOCKPIT
CVE-2020-10791
app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3 allows remote authenticated users to trigger outbound TCP requests aka SSRF via the Test Connection feature aka testGrafanaConnection of the Grafana Module...
CVE-2020-10791
OpenITCOCKPIT contains an SSRF vulnerability in GrafanaModule’s GrafanaConfigurationController.php. Affected versions are before 3.7.3; remote authenticated users can trigger outbound TCP requests via the Test Connection (testGrafanaConnection) feature. Evidence: CVE-2020-10791 and Red Hat/CNVD/O...
Unspecified vulnerability in openITCOCKPIT
openITCOCKPIT is a set of open source system monitoring tools . openITCOCKPIT 3.7.2 and earlier versions of a security vulnerability , an attacker can be exploited by placing in the HTTP Host header with 'dev' or 'staging' host name configuration self::DEVELOPMENT or self::STAGING option...
CVE-2020-10792
openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placing a hostname containing "dev" or "staging" in the HTTP Host header...
CVE-2020-10792
openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placing a hostname containing "dev" or "staging" in the HTTP Host header...
Design/Logic Flaw
openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placing a hostname containing "dev" or "staging" in the HTTP Host header...
CVE-2020-10792
openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placing a hostname containing "dev" or "staging" in the HTTP Host header...
CVE-2020-10792
OpenITCOCKPIT versions up to 3.7.2 are affected: an attacker can cause DEVELOPMENT or STAGING to be selected by sending a hostname in the HTTP Host header containing dev or staging. Root cause is improper handling of Host header input. Impact is configuration of environment options. For remediati...
CVE-2019-10227
openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-found component...
CVE-2019-10227
openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-found component...