Vulnerability Description
The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opsview | Opsview | >= 5.4.0, < 5.4.2 |
Related Weaknesses (CWE)
References
- https://knowledge.opsview.com/v5.4/docs/whats-newVendor Advisory
- https://seclists.org/fulldisclosure/2018/Sep/3ExploitMailing ListThird Party Advisory
- https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilitiesExploitThird Party Advisory
- https://knowledge.opsview.com/v5.4/docs/whats-newVendor Advisory
- https://seclists.org/fulldisclosure/2018/Sep/3ExploitMailing ListThird Party Advisory
- https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilitiesExploitThird Party Advisory
FAQ
What is CVE-2018-16146?
CVE-2018-16146 is a vulnerability with a CVSS score of 7.2 (HIGH). The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable...
How severe is CVE-2018-16146?
CVE-2018-16146 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-16146?
Check the references section above for vendor advisories and patch information. Affected products include: Opsview Opsview.