Bug 1115983 (CVE-2014-4908) - CVE-2014-4908 pnp4nagios: Two URL Cross-Site Scripting Vulnerabilities
Summary: CVE-2014-4908 pnp4nagios: Two URL Cross-Site Scripting Vulnerabilities
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-4908
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1115984 1115985
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-03 13:04 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:19 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-02 08:42:24 UTC


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2014-07-03 13:04:23 UTC
Two vulnerabilities have been reported in PNP4Nagios, which can be exploited by malicious people to conduct cross-site scripting attacks.

1) Input appended to the URL is not properly sanitised in "views/kohana_error_page.php" before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input appended to the URL is not properly sanitised in "views/template.php" before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Fixed in the GIT repository.

Original Advisory:
PNP4Nagios:
https://github.com/lingej/pnp4nagios/commit/e4a19768a5c5e5b1276caf3dd5bb721a540ec014
https://github.com/lingej/pnp4nagios/commit/cb925073edeeb97eb4ce61a86cdafccc9b87f9bb

Gentoo bugreport:
https://bugs.gentoo.org/show_bug.cgi?id=516140

CVE request sent to oss-security.

Comment 1 Vasyl Kaigorodov 2014-07-03 13:04:54 UTC
Created pnp4nagios tracking bugs for this issue:

Affects: epel-all [bug 1115984]
Affects: fedora-all [bug 1115985]

Comment 2 Vasyl Kaigorodov 2014-07-11 10:32:03 UTC
CVE-2014-4740 was REJECTED: http://seclists.org/oss-sec/2014/q3/140
Correct CVE ID for this is CVE-2014-4908

Comment 3 Fedora Update System 2014-07-14 00:53:39 UTC
pnp4nagios-0.6.22-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2014-07-14 00:54:42 UTC
pnp4nagios-0.6.22-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2014-07-20 17:59:28 UTC
pnp4nagios-0.6.22-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Jan ONDREJ 2014-10-01 11:13:20 UTC
I don't understand. pnp4nagios has been already released in Fedora. Is this still a bug? Do you have some patches? If it's not a bug in Fedora, why this bug has been reopened?

Comment 7 Jan ONDREJ 2014-10-02 08:42:24 UTC
Update already in stable. Closing. Please reopen if you think problem is still here.


Note You need to log in before you can comment on or make changes to this bug.