DSA-3495-1 xymon -- xymonID: oval:org.secpod.oval:def:602399 | Date: (C)2016-03-03 (M)2021-06-02 |
Class: PATCH | Family: unix |
Markus Krell discovered that xymon, a network- and applications-monitoring system, was vulnerable to the following security issues: CVE-2016-2054 The incorrect handling of user-supplied input in the "config" command can trigger a stack-based buffer overflow, resulting in denial of service or remote code execution. CVE-2016-2055 The incorrect handling of user-supplied input in the "config" command can lead to an information leak by serving sensitive configuration files to a remote user. CVE-2016-2056 The commands handling password management do not properly validate user-supplied input, and are thus vulnerable to shell command injection by a remote user. CVE-2016-2057 Incorrect permissions on an internal queuing system allow a user with a local account on the xymon master server to bypass all network-based access control lists, and thus inject messages directly into xymon. CVE-2016-2058 Incorrect escaping of user-supplied input in status webpages can be used to trigger reflected cross-site scripting attacks.