Bug 349011 (CVE-2007-5624) - CVE-2007-5624 nagios possible XSS in version <2.10
Summary: CVE-2007-5624 nagios possible XSS in version <2.10
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-5624
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 362791 362801 362811
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-23 16:36 UTC by Tomas Hoger
Modified: 2019-09-29 12:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-14 17:13:22 UTC


Attachments (Terms of Use)
SuSE patch (11.99 KB, patch)
2008-05-14 12:10 UTC, Tomas Hoger
no flags Details | Diff

Description Tomas Hoger 2007-10-23 16:36:28 UTC
New nagios version was released recently with following entry in the changelog:

  Fix for a potential cross site scripting vulnerability in the CGIs


Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5624 to
this vulnerability:

Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10
allows remote attackers to inject arbitrary web script or HTML via
unknown vectors to unspecified CGI scripts.

References:

http://www.nagios.org/development/changelog.php#2x_branch
http://secunia.com/advisories/27316

Comment 2 Lubomir Kundrak 2007-11-09 18:41:05 UTC
Mike: Please make the updates. Is there anything that prevent you from doing so?
Do you need any help?

Comment 3 Red Hat Product Security 2008-01-14 17:13:22 UTC
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4123
  https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4145



Comment 4 Tomas Hoger 2008-05-14 12:10:54 UTC
Created attachment 305352 [details]
SuSE patch

This fix is present in upstream version 2.10.

(Extracted from SuSE nagios-2.9-48.4.src.rpm)


Note You need to log in before you can comment on or make changes to this bug.