Home > Vulnerability Database > CVE-2024-22196

Mend.io Vulnerability Database

CVE-2024-22196

Date: January 11, 2024

Nginx-UI is an online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using "DefaultQuery", the ""desc"" and ""id"" values are used as default values if the query parameters are not set. Thus, the "order" and "sort_by" query parameter are user-controlled and are being appended to the "order" variable without any sanitization. This issue has been patched in version 2.0.0.beta.9.

Language: Go

Severity Score

7.0

Related Resources (9)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-22196

Url: https://github.com/0xJacky/nginx-ui/commit/ec93ab05a3ecbb6bcf464d9dca48d74452df8a5b

Url: https://github.com/0xjacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/model/model.go#L91

Url: https://github.com/0xJacky/nginx-ui

Url: https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h374-mm57-879c

Url: https://github.com/0xjacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/model/model.go#L278-L287

Url: https://github.com/0xjacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/model/model.go#L99C4

Url: https://github.com/advisories/GHSA-h374-mm57-879c

Url: https://www.mend.io/vulnerability-database/CVE-2024-22196

Severity Score

7.0

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

CVSS v3.1

Base Score:	7.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-22196

Date: January 11, 2024

Language: Go

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?