CVE-2016-10367

high-risk
Published 2017-05-03

In Opsview Monitor Pro (Prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch), an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request utilizing a simple URL encoding bypass, %252f instead of /.

Do I need to act?

!
50.8% chance of exploitation in next 30 days
EPSS score — higher than 49% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (4)

Affected Vendors

Opsview

References (2)

Exploit https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/...
Exploit https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/...
54
/ 100
high-risk
Severity 26/34 · High
Exploitability 18/34 · Moderate
Exposure 10/34 · Low