CVE-2018-18836

MEDIUM

Netdata 1.10.0 - JSON Injection via tqx Parameter

Title source: llm

Description

An issue was discovered in Netdata 1.10.0. JSON injection exists via the api/v1/data tqx parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c.

References (5)

Core 5

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/netdata/netdata/blob/798c141c49ee85bddc8f48f25d2cb593ec96da07/web/api/web_api_v1.c#L388

View Exploit ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://github.com/netdata/netdata/blob/798c141c49ee85bddc8f48f25d2cb593ec96da07/web/api/web_api_v1.c#L403

View Exploit ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca

View Patch ZIP pw:eip

Third Party Advisory x_refsource_confirm

https://github.com/netdata/netdata/pull/4521

Third Party Advisory x_refsource_misc

https://www.red4sec.com/cve/netdata_json_injection.txt

Scores

CVSS v3 6.5

EPSS 0.0196

EPSS Percentile 77.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE

CWE-94

Status published

Products (1)

my-netdata/netdata 1.10.0

Published Jun 18, 2019

Tracked Since Feb 18, 2026