CVE-2018-16146

HIGH

Opsview 5.4.0-5.4.1 - Authenticated OS Command Injection via Notification Test Value Parameter

Title source: llm
STIX 2.1

Description

The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account.

References (3)

Core 3
Core References
Vendor Advisory x_refsource_confirm
https://knowledge.opsview.com/v5.4/docs/whats-new
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
https://seclists.org/fulldisclosure/2018/Sep/3

Scores

CVSS v3 7.2
EPSS 0.0620
EPSS Percentile 92.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
opsview/opsview 5.4.0 - 5.4.2
Published Sep 05, 2018
Tracked Since Feb 18, 2026