Total
4 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-35476 | 1 Opentsdb | 1 Opentsdb | 2023-03-03 | 7.5 HIGH | 9.8 CRITICAL |
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.) | |||||
CVE-2018-12972 | 1 Opentsdb | 1 Opentsdb | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in OpenTSDB 2.3.0. Many parameters to the /q URI can execute commands, including o, key, style, and yrange and y2range and their JSON input. | |||||
CVE-2018-12973 | 1 Opentsdb | 1 Opentsdb | 2018-08-21 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter 'json' to the /q URI. | |||||
CVE-2018-13003 | 1 Opentsdb | 1 Opentsdb | 2018-08-21 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter 'type' to the /suggest URI. |