Two vulnerabilities have been reported in PNP4Nagios, which can be exploited by malicious people to conduct cross-site scripting attacks. 1) Input appended to the URL is not properly sanitised in "views/kohana_error_page.php" before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Input appended to the URL is not properly sanitised in "views/template.php" before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Solution: Fixed in the GIT repository. Original Advisory: PNP4Nagios: https://github.com/lingej/pnp4nagios/commit/e4a19768a5c5e5b1276caf3dd5bb721a540ec014 https://github.com/lingej/pnp4nagios/commit/cb925073edeeb97eb4ce61a86cdafccc9b87f9bb Gentoo bugreport: https://bugs.gentoo.org/show_bug.cgi?id=516140 CVE request sent to oss-security.
Created pnp4nagios tracking bugs for this issue: Affects: epel-all [bug 1115984] Affects: fedora-all [bug 1115985]
CVE-2014-4740 was REJECTED: http://seclists.org/oss-sec/2014/q3/140 Correct CVE ID for this is CVE-2014-4908
pnp4nagios-0.6.22-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
pnp4nagios-0.6.22-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
pnp4nagios-0.6.22-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
I don't understand. pnp4nagios has been already released in Fedora. Is this still a bug? Do you have some patches? If it's not a bug in Fedora, why this bug has been reopened?
Update already in stable. Closing. Please reopen if you think problem is still here.