cbcvebase.
CVE-2016-10367
published 2017-05-03

CVE-2016-10367: In Opsview Monitor Pro (Prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch), an…

PriorityP179high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.11%
96.5th percentile
In Opsview Monitor Pro (Prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch), an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request utilizing a simple URL encoding bypass, %252f instead of /.

Affected

4 ranges
VendorProductVersion rangeFixed in
opsviewopsview
opsviewopsview
opsviewopsview
opsviewopsview

Detection & IOCsextracted from sources · hover to see the quote

url/monitoring/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd
path/monitoring/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd
  • Detect unauthenticated HTTP GET requests to the /monitoring/ endpoint containing double URL-encoded directory traversal sequences (%252f) targeting /etc/passwd
  • Look for the string '%252f' in HTTP GET request paths to the Opsview Monitor Pro /monitoring/ endpoint as the double-encoding bypass indicator
  • Shodan/FOFA fingerprinting: identify exposed Opsview instances via page title 'Opsview' or 'opsview' before probing for the LFI
  • A successful exploitation response will contain the pattern 'root:[x*]:0:0' (contents of /etc/passwd) in the HTTP response body
  • ·The Nuclei template matcher expects HTTP status 404 alongside the /etc/passwd regex match — this unusual combination (file content returned with a 404 status) must be accounted for in detection logic to avoid false negatives
  • ·The vulnerability is unauthenticated; no session cookie or credential is required, meaning any network-accessible Opsview Monitor Pro instance on affected versions is exploitable without prior authentication

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.