Vulnerability CVE-2011-2179

Vulnerability Name:

CVE-2011-2179 (CCN-67797)

Assigned:

2011-06-01

Published:

2011-06-01

Updated:

2017-08-29

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Gain Access

References:

Source: BUGTRAQ
Type: UNKNOWN
20110601 Cross-Site Scripting vulnerability in Icinga

Source: BUGTRAQ
Type: Exploit, Patch
20110601 Cross-Site Scripting vulnerability in Nagios

Source: MITRE
Type: CNA
CVE-2011-2179

Source: CCN
Type: SA44632
Icinga expand Cross-Site Scripting Vulnerability

Source: SECUNIA
Type: UNKNOWN
44974

Source: SREASON
Type: UNKNOWN
8274

Source: CONFIRM
Type: Exploit, Patch, Vendor Advisory
http://tracker.nagios.org/view.php?id=224

Source: CCN
Type: Icinga Web site
Icinga

Source: MLIST
Type: UNKNOWN
[oss-security] 20110601 CVE request: XSS in nagios

Source: MLIST
Type: UNKNOWN
[oss-security] 20110602 Re: CVE request: XSS in nagios

Source: CCN
Type: OSVDB ID: 72730
Icinga cgi-bin/config.cgi expand Parameter XSS

Source: CCN
Type: OSVDB ID: 74122
Nagios config.cgi expand Parameter XSS

Source: CCN
Type: SSCHADV2011-005
Cross-Site Scripting vulnerability in Icinga

Source: MISC
Type: Exploit, Patch
http://www.rul3z.de/advisories/SSCHADV2011-005.txt

Source: MISC
Type: Exploit, Patch
http://www.rul3z.de/advisories/SSCHADV2011-006.txt

Source: BID
Type: UNKNOWN
48087

Source: CCN
Type: BID-48087
Nagios 'expand' Parameter Cross Site Scripting Vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-1151-1

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=709871

Source: CONFIRM
Type: Exploit, Patch, Vendor Advisory
https://dev.icinga.org/issues/1605

Source: XF
Type: UNKNOWN
icinga-expand-xss(67797)

Source: XF
Type: UNKNOWN
icinga-expand-xss(67797)

Vulnerable Configuration:

Configuration 1:

cpe:/a:icinga:icinga:0.8.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:0.8.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:0.8.2:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:0.8.3:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:0.8.4:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.0:rc1:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.2.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.2.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.3.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.3.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:*:*:*:*:*:*:*:* (Version <= 1.4.0)

OR cpe:/a:nagios:nagios:3.2.3:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:icinga:icinga:1.4.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20112179	V	CVE-2011-2179	2015-11-16
oval:org.mitre.oval:def:13472	P	USN-1151-1 -- nagios3 vulnerabilities	2014-07-07
oval:com.ubuntu.artful:def:20112179000	V	CVE-2011-2179 on Ubuntu 17.10 (artful) - medium.	2011-06-14
oval:com.ubuntu.trusty:def:20112179000	V	CVE-2011-2179 on Ubuntu 14.04 LTS (trusty) - medium.	2011-06-14
oval:com.ubuntu.cosmic:def:201121790000000	V	CVE-2011-2179 on Ubuntu 18.10 (cosmic) - medium.	2011-06-14
oval:com.ubuntu.bionic:def:20112179000	V	CVE-2011-2179 on Ubuntu 18.04 LTS (bionic) - medium.	2011-06-14
oval:com.ubuntu.xenial:def:20112179000	V	CVE-2011-2179 on Ubuntu 16.04 LTS (xenial) - medium.	2011-06-14
oval:com.ubuntu.bionic:def:201121790000000	V	CVE-2011-2179 on Ubuntu 18.04 LTS (bionic) - medium.	2011-06-14
oval:com.ubuntu.cosmic:def:20112179000	V	CVE-2011-2179 on Ubuntu 18.10 (cosmic) - medium.	2011-06-14
oval:com.ubuntu.xenial:def:201121790000000	V	CVE-2011-2179 on Ubuntu 16.04 LTS (xenial) - medium.	2011-06-14
oval:com.ubuntu.precise:def:20112179000	V	CVE-2011-2179 on Ubuntu 12.04 LTS (precise) - medium.	2011-06-14

BACK