The NetworkInterface::getHost function in NetworkInterface.cpp in ntopng before 3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty field that should have contained a hostname or IP address.
CVSS Score
7.5
EPSS Score
0.005
Published
2017-06-26
ntopng before 3.0 allows XSS because GET and POST parameters are improperly validated.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-06-26
ntopng before 3.0 allows HTTP Response Splitting.
CVSS Score
7.5
EPSS Score
0.002
Published
2017-06-26
Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user_prefs.lua, admin/delete_user.lua, and admin/password_reset.lua.
CVSS Score
8.8
EPSS Score
0.001
Published
2017-01-14
ntopng (aka ntop) before 2.2 allows remote authenticated users to change the login context and gain privileges via the user cookie and username parameter to admin/password_reset.lua.
CVSS Score
6.0
EPSS Score
0.032
Published
2015-12-17
Cross-site scripting (XSS) vulnerability in the nDPI traffic classification library in ntopng (aka ntop) before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
CVSS Score
4.3
EPSS Score
0.274
Published
2014-09-08
Cross-site scripting (XSS) vulnerability in lua/host_details.lua in ntopng 1.1 allows remote attackers to inject arbitrary web script or HTML via the host parameter.
CVSS Score
4.3
EPSS Score
0.003
Published
2014-06-19