SB2013123101 - Information disclosure in AsuraTeam monitor
Published: December 31, 2013 Updated: August 10, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Information disclosure (CVE-ID: CVE-2012-0263)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote #AU# to gain access to sensitive information.
monitor/index.php in op5 Monitor and op5 Appliance before 5.5.1 allows remote authenticated users to obtain sensitive information such as database and user credentials via error messages that are triggered by (1) a malformed hoststatustypes parameter to status/service/all or (2) a crafted request to config.
Remediation
Install update from vendor's website.
References
- http://seclists.org/fulldisclosure/2012/Jan/62
- http://secunia.com/advisories/47344
- http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf
- http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/
- http://www.osvdb.org/78067
- https://bugs.op5.com/view.php?id=5094