SB2017100412 - Multiple vulnerabilities in PRTG Network Monitor
Published: October 4, 2017 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Improper Privilege Management (CVE-ID: CVE-2017-15917)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
In Paessler PRTG Network Monitor 17.3.33.2830, it's possible to create a Map as a read-only user, by forging a request and sending it to the server.
2) Input validation error (CVE-ID: CVE-2017-15651)
The vulnerability allows a local privileged user to execute arbitrary code.
PRTG Network Monitor 17.3.33.2830 allows remote authenticated administrators to execute arbitrary code by uploading a .exe file and then proceeding in spite of the error message.
3) Cross-site scripting (CVE-ID: CVE-2017-15360)
The vulnerability allows a remote authenticated user to read and manipulate data.
PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cross-Site Scripting on all group names created, related to incorrect error handling for an HTML encoded script.
4) Cross-site scripting (CVE-ID: CVE-2017-15008)
The vulnerability allows a remote privileged user to read and manipulate data.
PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cross-Site Scripting on all sensor titles, related to incorrect error handling for a %00 in the SRC attribute of an IMG element.
5) Cross-site scripting (CVE-ID: CVE-2017-15009)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
PRTG Network Monitor version 17.3.33.2830 is vulnerable to reflected Cross-Site Scripting on error.htm (the error page), via the errormsg parameter.
Remediation
Install update from vendor's website.