Information disclosure in monitor - CVE-2012-0263
Published: December 31, 2013 / Updated: August 10, 2020
Vulnerability identifier: #VU42192
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2012-0263
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: AsuraTeam
Affected software:
monitor
monitor
Detailed vulnerability description
The vulnerability allows a remote #AU# to gain access to sensitive information.
monitor/index.php in op5 Monitor and op5 Appliance before 5.5.1 allows remote authenticated users to obtain sensitive information such as database and user credentials via error messages that are triggered by (1) a malformed hoststatustypes parameter to status/service/all or (2) a crafted request to config.
How to mitigate CVE-2012-0263
Install update from vendor's website.
Sources
- http://seclists.org/fulldisclosure/2012/Jan/62
- http://secunia.com/advisories/47344
- http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf
- http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/
- http://www.osvdb.org/78067
- https://bugs.op5.com/view.php?id=5094