It-Novum Openitcockpit vulnerabilities
17 known vulnerabilities affecting it-novum/openitcockpit.
Total CVEs
17
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH7MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2026-24893P2HIGHCVSS 8.8fixed in 5.5.22026-04-14
CVE-2026-24893 [HIGH] CWE-20 CVE-2026-24893: openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPI
openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the monitoring backend. The vulnerability arises because us
nvd
CVE-2026-24892P3HIGHCVSS 8.8fixed in 5.4.02026-02-20
CVE-2026-24892 [HIGH] CWE-502 CVE-2026-24892: openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios,
openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP deserialization pattern in the processing of changelog entries. Serialized changelog data derived from attacker-influenced application state is unserialized w
nvd
CVE-2020-10789P3CRITICALCVSS 9.8fixed in 3.7.32020-03-25
CVE-2020-10789 [CRITICAL] CWE-78 CVE-2020-10789: openITCOCKPIT before 3.7.3 has a web-based terminal that allows attackers to execute arbitrary OS co
openITCOCKPIT before 3.7.3 has a web-based terminal that allows attackers to execute arbitrary OS commands via shell metacharacters that are mishandled on an su command line in app/Lib/SudoMessageInterface.php.
nvd
CVE-2019-10227P4MEDIUMCVSS 6.1PoCfixed in 3.7.12019-12-31
CVE-2019-10227 [MEDIUM] CWE-79 CVE-2019-10227: openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-found component.
openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-found component.
nvd
CVE-2023-36663P3HIGHCVSS 8.8v4.6.42023-06-25
CVE-2023-36663 [HIGH] CWE-89 CVE-2023-36663: it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows SQL Injection (by authenticat
it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows SQL Injection (by authenticated users) via the sort parameter of the API interface.
nvd
CVE-2019-15490P3CRITICALCVSS 9.8fixed in 3.7.12019-08-23
CVE-2019-15490 [CRITICAL] CWE-78 CVE-2019-15490: openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21.
openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21.
nvd
CVE-2026-24891P3HIGHCVSS 7.5fixed in 5.4.02026-02-20
CVE-2026-24891 [HIGH] CWE-502 CVE-2026-24891: openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios,
openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserialization sink in the Gearman worker implementation. The worker function registered as oitc_gearman calls PHP's unserialize() on job payloads without enforcing class restrictions or
nvd
CVE-2020-10788P3CRITICALCVSS 9.1fixed in 3.7.32020-03-25
CVE-2020-10788 [CRITICAL] CWE-798 CVE-2020-10788: openITCOCKPIT before 3.7.3 uses the 1fea123e07f730f76e661bced33a94152378611e API key rather than gen
openITCOCKPIT before 3.7.3 uses the 1fea123e07f730f76e661bced33a94152378611e API key rather than generating a random API Key for WebSocket connections.
nvd
CVE-2019-15494P3CRITICALCVSS 9.8fixed in 3.7.12019-08-23
CVE-2019-15494 [CRITICAL] CWE-918 CVE-2019-15494: openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21.
openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21.
nvd
CVE-2020-10792P3HIGHCVSS 7.5≤ 3.7.22020-03-20
CVE-2020-10792 [HIGH] CWE-276 CVE-2020-10792: openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAG
openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placing a hostname containing "dev" or "staging" in the HTTP Host header.
nvd
CVE-2019-15493P3HIGHCVSS 7.5fixed in 3.7.12019-08-23
CVE-2019-15493 [HIGH] CVE-2019-15493: openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21.
openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21.
nvd
CVE-2020-10791P4MEDIUMCVSS 6.5fixed in 3.7.32020-03-25
CVE-2020-10791 [MEDIUM] CWE-918 CVE-2020-10791: app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3
app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3 allows remote authenticated users to trigger outbound TCP requests (aka SSRF) via the Test Connection feature (aka testGrafanaConnection) of the Grafana Module.
nvd
CVE-2019-15491P4HIGHCVSS 8.8fixed in 3.7.12019-08-23
CVE-2019-15491 [HIGH] CWE-352 CVE-2019-15491: openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21.
openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21.
nvd
CVE-2020-10790P4MEDIUMCVSS 5.4fixed in 3.7.32020-03-25
CVE-2020-10790 [MEDIUM] CWE-79 CVE-2020-10790: openITCOCKPIT before 3.7.3 has unnecessary files (such as Lodash files) under the web root, which le
openITCOCKPIT before 3.7.3 has unnecessary files (such as Lodash files) under the web root, which leads to XSS.
nvd
CVE-2019-15492P4MEDIUMCVSS 6.1fixed in 3.7.12019-08-23
CVE-2019-15492 [MEDIUM] CWE-79 CVE-2019-15492: openITCOCKPIT before 3.7.1 has reflected XSS, aka RVID 3-445b21.
openITCOCKPIT before 3.7.1 has reflected XSS, aka RVID 3-445b21.
nvd
CVE-2023-3520P4MEDIUMCVSS 4.6fixed in 4.6.62023-07-06
CVE-2023-3520 [MEDIUM] CWE-614 CVE-2023-3520: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository it-novum/openitcoc
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository it-novum/openitcockpit prior to 4.6.6.
nvd
CVE-2023-3218P4MEDIUMCVSS 4.4fixed in 4.6.52023-06-13
CVE-2023-3218 [MEDIUM] CWE-366 CVE-2023-3218: Race Condition within a Thread in GitHub repository it-novum/openitcockpit prior to 4.6.5.
Race Condition within a Thread in GitHub repository it-novum/openitcockpit prior to 4.6.5.
nvd