openITCOCKPIT Security Disclosures

Reporting Security Vulnerabilities

Please send security vulnerabilities found in openITCOCKPIT or software that is used by openITCOCKPIT to: security@openitcockpit.io.

Security-Vulnerabilities Security-Vulnerabilities

Disclosed Vulnerabilities

openITCOCKPIT < 4.6.5

Impact CVE Found by ID Vulnerability Summary
High CVE-2023-36663 hiu240900 ITC-3017 SQL injection: The sort endpoints of the API are vulnerable for SQL injections.
Medium CVE-2023-3218 tuannq2299 ITC-3014 Race Condition: Create multiple user with the same username

openITCOCKPIT < 3.7.3

Impact CVE ID Vulnerability Summary
High CVE-2020-10789 ITC-2321 Code injection: The input of the embedded terminal is not getting properly escaped which lead to remote code execution.
High CVE-2020-10788 ITC-2322 Static WebSocket key: The key used by the WebSocket server to avoid unauthenticated access is the same on all openITCOCKPIT installations.
High CVE-2020-10790 ITC-2324 Cross-site scripting: openITCOCKPIT grant access to unnecessary files in the webroot directory which could be affected by an XSS security issue.
High CVE-2020-10792 ITC-2325 Ability to trick server into running in development mode: By manipulating the Host header in the HTTP request it was possible to enable debug mode. This could lead to unwanted output of sensitive data.
Medium CVE-2020-10791 ITC-2168 Server-side request forgery: The Test Connection feature of the Grafana Module can now be completly disabled throuth the user role permission testGrafanaConnection.

openITCOCKPIT < 3.7.1

Impact CVE ID Vulnerability Summary Remediation Summary
High CVE-2019-15491 ITC-2166 An authenticated openITCOCKPIT User could be lured by an attacker to a compromised website to create a valid account in openITCOCKPIT. Upgrade to openITCOCKPIT 3.7.1 or above.
High CVE-2019-10227 ITC-2167 XSS vulnerability in the 404 Not found page. Upgrade to openITCOCKPIT 3.7.1 or above.
High CVE-2019-15490 ITC-2164 Everything passed to command_line including macros like $USER1$ and $ARG1$ will get executed by the monitoring engine. This is the default behavor of Nagios and Naemon. Be be careful which users you grant the permission to edit the command line.
Medium CVE-2019-15493 ITC-2168 Users with permissions to "Backup / Restore" could delete any files located at /opt/openitc/. Upgrade to openITCOCKPIT 3.7.1 or above.
Medium CVE-2019-15494 ITC-2169 The detailed error output of the "Grafana Module" could be used by an attacker to collect information about third party other web servers. Upgrade to openITCOCKPIT 3.7.1 or above.
Low CVE-2019-15492 ITC-2170
  • /hosts/ping.json allows the proceeding of any IP address
  • Invalid API keys can be generated
  • Authenticated Cross-Site-Scripting on: /dashboards/dynamicDirective?directive=script%3Ealert(1);//
Upgrade to openITCOCKPIT 3.7.1 or above.

openITCOCKPIT < 3.2.0

Impact CVE ID Vulnerability Summary Remediation Summary
High ITC-1533 Valid LDAP users could login without password. Upgrade to openITCOCKPIT 3.2 or above.