CVE-2018-16146
HIGHOpsview 5.4.0-5.4.1 - Authenticated OS Command Injection via Notification Test Value Parameter
Title source: llmDescription
The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://knowledge.opsview.com/v5.4/docs/whats-new
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
https://seclists.org/fulldisclosure/2018/Sep/3
Exploit, Third Party Advisory x_refsource_misc
https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities
Scores
CVSS v3
7.2
EPSS
0.0620
EPSS Percentile
92.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
opsview/opsview
5.4.0 - 5.4.2
Published
Sep 05, 2018
Tracked Since
Feb 18, 2026