op5 Monitor < 5.7.3 Multiple Vulnerabilities

low Nessus Plugin ID 66268

Synopsis

A PHP application hosted on the remote web server is affected by multiple vulnerabilities.

Description

The version of op5 Monitor hosted on the remote web server is earlier than 5.7.3. It is, therefore, affected by the following vulnerabilities:

- The 'status/hostgroup_grid' script fails to properly sanitize user-supplied input to the 'items_per_page' parameter, which could allow for a SQL injection attack.

- A flaw exists in the 'command/submit' script that fails to validate the 'host' parameter, which could lead to cross-site scripting (XSS).

- A cross-site request forgery (CSRF) vulnerability exists because the application does not require multiple steps or explicit confirmation for sensitive transactions.

Solution

Upgrade op5 Monitor to version 5.7.3 or later.

See Also

http://www.nessus.org/u?977be06b

Plugin Details

Severity: Low

ID: 66268

File Name: op5_monitor_5_7_3.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 4/30/2013

Updated: 6/5/2024

Supported Sensors: Nessus

Enable CGI Scanning: true

Vulnerability Information

CPE: cpe:/a:op5:monitor

Required KB Items: www/op5_monitor

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/28/2012

Vulnerability Publication Date: 8/23/2012

Reference Information

BID: 55191

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990