Security Disclosures

Reporting Security Vulnerabilities

Please send security vulnerabilites found in openITCOCKPIT or software that is used by openITCOCKPIT to: security@openitcockpit.io.

To submit a bug report please create an issue on GitHub.

Disclosed Vulnerabilites

ID Impact Vulnerability Summary Remediation Summary
RVID: 2-445b21 High An authenticated openITCOCKPIT User could be lured by an attacker to a compromised website to create a valid account in openITCOCKPIT. Upgrade to openITCOCKPIT 3.7.1 or above.
RVID: 3-445b21 High XSS vulnerability in the 404 Not found page. Upgrade to openITCOCKPIT 3.7.1 or above.
RVID: 4-445b21 Medium Users with permissions to "Backup / Restore" could delete any files located at /opt/openitc/. Upgrade to openITCOCKPIT 3.7.1 or above.
RVID: 5-445b21 Medium The detailed error output of the "Grafana Module" could be used by an attacker to collect information about third party other web servers. Upgrade to openITCOCKPIT 3.7.1 or above.
ITC-2170 Low
  • /hosts/ping.json allows the proceeding of any IP address
  • Invalid API keys can be generated
  • Authenticated Cross-Site-Scripting on: /dashboards/dynamicDirective?directive=script%3Ealert(1);//
Upgrade to openITCOCKPIT 3.7.1 or above.
ITC-1533 High Valid LDAP users could login without password. Upgrade to openITCOCKPIT 3.2 or above.