CVE-2015-4420

Opsview < 4.6.2 - Cross-Site Scripting via Crafted Check Plugin or Host Profile Description

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-4420. PoCs published by Dolev Farhi.

AI-analyzed exploit summary This exploit demonstrates multiple stored and reflected XSS vulnerabilities in Opsview 4.6.2. It includes detailed steps to trigger XSS via malicious check plugins, host descriptions, and service check command-line arguments.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Opsview 4.6.2 and earlier allow remote attackers to inject arbitrary web script or HTML via a (1) crafted check plugin, the (2) description in a host profile, or the (3) plugin_args parameter to a Test service check page.

Exploits (1)

exploitdb WORKING POC

by Dolev Farhi · textwebappsmultiple

https://www.exploit-db.com/exploits/37271

View Code ZIP pw:eip

This exploit demonstrates multiple stored and reflected XSS vulnerabilities in Opsview 4.6.2. It includes detailed steps to trigger XSS via malicious check plugins, host descriptions, and service check command-line arguments.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Opsview 4.6.2

Auth required

Prerequisites: Access to Opsview admin interface · Ability to create/modify plugins, hosts, or service checks

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/75223

Exploit exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/37271/

Scores

EPSS 0.0157

EPSS Percentile 72.0%

Details

CWE

CWE-79

Status published

Products (1)

opsview/opsview < 4.6.2

Published Jun 18, 2015

Tracked Since Feb 18, 2026