CVE-2008-5028
published 2008-11-10CVE-2008-5028: Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send commands to the…
PriorityP426medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
1.68%
74.0th percentile
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send commands to the Nagios process, and trigger execution of arbitrary programs by this process, via unspecified HTTP requests.
Affected
51 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios | <= 3.0.4 | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Nagios vulnerabilities
vendor_ubuntu·2008-12-23·CVSS 6.5
CVE-2008-5027 [MEDIUM] Nagios vulnerabilities
Title: Nagios vulnerabilities
Summary: Nagios vulnerabilities
It was discovered that Nagios was vulnerable to a Cross-site request forgery
(CSRF) vulnerability. If an authenticated nagios user were tricked into
clicking a link on a specially crafted web page, an attacker could trigger
commands to be processed by Nagios and execute arbitrary programs. This
update alters Nagios behaviour by disabling submission of CMD_CHANGE commands.
(CVE-2008-5028)
It was discovered that Nagios did not properly parse commands submitted using
the web interface. An authenticated user could use a custom form or a browser
addon to bypass security restrictions and submit unauthorized commands.
(CVE-2008-5027)
Instructions: After a standard system upgrade you need to restart Nagios to effect
the necessary ch
Ubuntu
Nagios3 vulnerabilities
vendor_ubuntu·2008-12-22·CVSS 6.5
CVE-2008-5027 [MEDIUM] Nagios3 vulnerabilities
Title: Nagios3 vulnerabilities
Summary: Nagios3 vulnerabilities
It was discovered that Nagios was vulnerable to a Cross-site request forgery
(CSRF) vulnerability. If an authenticated nagios user were tricked into
clicking a link on a specially crafted web page, an attacker could trigger
commands to be processed by Nagios and execute arbitrary programs. This
update alters Nagios behaviour by disabling submission of CMD_CHANGE commands.
(CVE-2008-5028)
It was discovered that Nagios did not properly parse commands submitted using
the web interface. An authenticated user could use a custom form or a browser
addon to bypass security restrictions and submit unauthorized commands.
(CVE-2008-5027)
Instructions: After a standard system upgrade you need to restart Nagios to effect
the necessary
GHSA
GHSA-f844-p5pg-6j6p: Cross-site request forgery (CSRF) vulnerability in cmd
ghsa_unreviewed·2022-05-17
CVE-2008-5028 [MEDIUM] CWE-352 GHSA-f844-p5pg-6j6p: Cross-site request forgery (CSRF) vulnerability in cmd
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send commands to the Nagios process, and trigger execution of arbitrary programs by this process, via unspecified HTTP requests.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2008-6373 nagios: unspecified vuln related to CGI programs
bugzilla·2009-03-02·CVSS 6.5
CVE-2008-6373 [MEDIUM] CVE-2008-6373 nagios: unspecified vuln related to CGI programs
CVE-2008-6373 nagios: unspecified vuln related to CGI programs
Common Vulnerabilities and Exposures assigned an identifier to
the following vulnerability:
Name: CVE-2008-6373
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6373
Assigned: 20090302
Reference: CONFIRM: http://www.nagios.org/development/history/nagios-3x.php
Reference: CONFIRM: http://www.nagios.org/news/#88
Reference: BID:32611
Reference: URL: http://www.securityfocus.com/bid/32611
Reference: SECUNIA:32909
Reference: URL: http://secunia.com/advisories/32909
Unspecified vulnerability in Nagios before 3.0.6 has unspecified
impact and remote attack vectors related to CGI programs, "adaptive
external commands," and "writing newlines and submitting service
comments."
Additional resources:
http://bugs.gentoo.org/sh
Bugzilla
CVE-2008-5028 nagios: CSRF vulnerability in cmd.cgi
bugzilla·2008-11-10·CVSS 6.8
CVE-2008-5028 [MEDIUM] CVE-2008-5028 nagios: CSRF vulnerability in cmd.cgi
CVE-2008-5028 nagios: CSRF vulnerability in cmd.cgi
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5028 to the following vulnerability:
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1)
Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers
to send commands to the Nagios process, and trigger execution of
arbitrary programs by this process, via unspecified HTTP requests.
References:
http://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se&forum_name=nagios-devel
http://www.openwall.com/lists/oss-security/2008/11/06/2
http://git.op5.org/git/?p=nagios.git;a=commit;h=814d8d4d1a73f7151eeed187c0667585d79fea18
http://www.op5.com/support/news/389-important-security-fix-available-for-op5-monitor
http://secunia.com/adv
http://git.op5.org/git/?p=nagios.git%3Ba=commit%3Bh=814d8d4d1a73f7151eeed187c0667585d79fea18http://marc.info/?l=bugtraq&m=124156641928637&w=2http://osvdb.org/49678http://secunia.com/advisories/32610http://secunia.com/advisories/32630http://secunia.com/advisories/33320http://secunia.com/advisories/35002http://security.gentoo.org/glsa/glsa-200907-15.xmlhttp://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se&forum_name=nagios-develhttp://www.op5.com/support/news/389-important-security-fix-available-for-op5-monitorhttp://www.openwall.com/lists/oss-security/2008/11/06/2http://www.securitytracker.com/id?1022165http://www.vupen.com/english/advisories/2008/3029http://www.vupen.com/english/advisories/2009/1256https://exchange.xforce.ibmcloud.com/vulnerabilities/46426https://exchange.xforce.ibmcloud.com/vulnerabilities/46521https://www.ubuntu.com/usn/USN-698-3/http://git.op5.org/git/?p=nagios.git%3Ba=commit%3Bh=814d8d4d1a73f7151eeed187c0667585d79fea18http://marc.info/?l=bugtraq&m=124156641928637&w=2http://osvdb.org/49678http://secunia.com/advisories/32610http://secunia.com/advisories/32630http://secunia.com/advisories/33320http://secunia.com/advisories/35002http://security.gentoo.org/glsa/glsa-200907-15.xmlhttp://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se&forum_name=nagios-develhttp://www.op5.com/support/news/389-important-security-fix-available-for-op5-monitorhttp://www.openwall.com/lists/oss-security/2008/11/06/2http://www.securitytracker.com/id?1022165http://www.vupen.com/english/advisories/2008/3029http://www.vupen.com/english/advisories/2009/1256https://exchange.xforce.ibmcloud.com/vulnerabilities/46426https://exchange.xforce.ibmcloud.com/vulnerabilities/46521https://www.ubuntu.com/usn/USN-698-3/
2008-11-10
Published