Search
Search Results (15 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-24891 | 2 It-novum, Openitcockpit | 2 Openitcockpit, Openitcockpit | 2026-02-24 | 7.5 High |
| openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserialization sink in the Gearman worker implementation. The worker function registered as oitc_gearman calls PHP's unserialize() on job payloads without enforcing class restrictions or validating data origin. While the intended deployment assumes only trusted internal components enqueue Gearman jobs, this trust boundary is not enforced in application code. In environments where the Gearman service or worker is exposed to untrusted systems, an attacker may submit crafted serialized payloads to trigger PHP Object Injection in the worker process. This vulnerability is exploitable when Gearman listens on non-local interfaces, network access to TCP/4730 is unrestricted, or untrusted systems can enqueue jobs. Default, correctly hardened deployments may not be immediately exploitable, but the unsafe sink remains present in code regardless of deployment configuration. Enforcing this trust boundary in code would significantly reduce risk and prevent exploitation in misconfigured environments. This issue has been fixed in version 5.4.0. | ||||
| CVE-2023-3218 | 1 It-novum | 1 Openitcockpit | 2025-01-03 | 4.4 Medium |
| Race Condition within a Thread in GitHub repository it-novum/openitcockpit prior to 4.6.5. | ||||
| CVE-2023-36663 | 1 It-novum | 1 Openitcockpit | 2024-12-05 | 8.8 High |
| it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows SQL Injection (by authenticated users) via the sort parameter of the API interface. | ||||
| CVE-2023-3520 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 4.6 Medium |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository it-novum/openitcockpit prior to 4.6.6. | ||||
| CVE-2020-10792 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 7.5 High |
| openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placing a hostname containing "dev" or "staging" in the HTTP Host header. | ||||
| CVE-2020-10791 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 6.5 Medium |
| app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3 allows remote authenticated users to trigger outbound TCP requests (aka SSRF) via the Test Connection feature (aka testGrafanaConnection) of the Grafana Module. | ||||
| CVE-2020-10790 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 5.4 Medium |
| openITCOCKPIT before 3.7.3 has unnecessary files (such as Lodash files) under the web root, which leads to XSS. | ||||
| CVE-2020-10789 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 9.8 Critical |
| openITCOCKPIT before 3.7.3 has a web-based terminal that allows attackers to execute arbitrary OS commands via shell metacharacters that are mishandled on an su command line in app/Lib/SudoMessageInterface.php. | ||||
| CVE-2020-10788 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 9.1 Critical |
| openITCOCKPIT before 3.7.3 uses the 1fea123e07f730f76e661bced33a94152378611e API key rather than generating a random API Key for WebSocket connections. | ||||
| CVE-2019-15494 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | N/A |
| openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21. | ||||
| CVE-2019-15493 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | N/A |
| openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21. | ||||
| CVE-2019-15492 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | N/A |
| openITCOCKPIT before 3.7.1 has reflected XSS, aka RVID 3-445b21. | ||||
| CVE-2019-15491 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | N/A |
| openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21. | ||||
| CVE-2019-15490 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | N/A |
| openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21. | ||||
| CVE-2019-10227 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 6.1 Medium |
| openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-found component. | ||||
Page 1 of 1.