CVE-2018-19204

Published: Nov 12, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

PRTG Network Monitor before 18.3.44.2054 allows a remote authenticated attacker (with read-write privileges) to execute arbitrary code and OS commands with system privileges. When creating an HTTP Advanced Sensor, the user's input in the POST parameter 'proxyport_' is mishandled. The attacker can craft an HTTP request and override the 'writeresult' command-line parameter for HttpAdvancedSensor.exe to store arbitrary data in an arbitrary place on the file system. For example, the attacker can create an executable file in the \Custom Sensors\EXE directory and execute it by creating EXE/Script Sensor.

Affected (1)

Products: Paessler: Prtg Network Monitor

1 product

Prtg Network Monitor

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Paessler Prtg Network Monitor	Before 18.3.44.2054

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (6)

http://en.securitylab.ru/lab/PT-2018-23

Source: cve@mitre.org

Third Party Advisory

https://www.paessler.com/prtg/history/stable#18.3.44.2054

Source: cve@mitre.org

Vendor Advisory

https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2018-23/

Source: cve@mitre.org

Third Party Advisory

http://en.securitylab.ru/lab/PT-2018-23

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.paessler.com/prtg/history/stable#18.3.44.2054

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2018-23/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.