Nagios Xi Security Vulnerabilities
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command...
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command.....
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user...
5.3CVSS
5.3AI Score
0.002EPSS
6.1CVSS
6.2AI Score
0.004EPSS
Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache...
9.8CVSS
9.8AI Score
0.002EPSS
An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system...
7.2CVSS
6.8AI Score
0.943EPSS
5.4CVSS
5.2AI Score
0.036EPSS
5.4CVSS
5.2AI Score
0.036EPSS
5.4CVSS
5.2AI Score
0.036EPSS
5.4CVSS
5.2AI Score
0.036EPSS
Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote...
8.8CVSS
8.6AI Score
0.165EPSS
Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticated user to weaken the permissions of files, resulting in low-privileged users being able to write to and execute arbitrary PHP code with root...
7.8CVSS
7.8AI Score
0.001EPSS
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache...
7.2CVSS
7.2AI Score
0.376EPSS
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache...
7.2CVSS
7AI Score
0.861EPSS
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted...
6.5CVSS
6.4AI Score
0.001EPSS
An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version...
9.8CVSS
9.5AI Score
0.002EPSS
In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via...
8.8CVSS
9AI Score
0.07EPSS
6.1CVSS
5.9AI Score
0.01EPSS
4.8CVSS
5.1AI Score
0.052EPSS
Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username...
4.8CVSS
4.9AI Score
0.052EPSS
Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password...
4.8CVSS
5.2AI Score
0.052EPSS
In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user...
8.8CVSS
8.9AI Score
0.011EPSS
In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin...
5.4CVSS
5.1AI Score
0.056EPSS
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a...
4.8CVSS
4.8AI Score
0.002EPSS
An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential...
9.8CVSS
9.5AI Score
0.006EPSS
A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management...
5.4CVSS
5.4AI Score
0.002EPSS
Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that....
9.8CVSS
9.8AI Score
0.014EPSS
Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow...
6.1CVSS
6AI Score
0.123EPSS
Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and...
7.8CVSS
8.2AI Score
0.001EPSS
SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user...
9.8CVSS
9.9AI Score
0.017EPSS
Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery...
8.8CVSS
8.9AI Score
0.086EPSS
An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS...
6.1CVSS
5.9AI Score
0.002EPSS
An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS...
6.1CVSS
5.9AI Score
0.002EPSS
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via...
7.8CVSS
8.3AI Score
0.058EPSS
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in...
6.1CVSS
6.4AI Score
0.282EPSS
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2...
6.1CVSS
6.8AI Score
0.282EPSS
Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated...
8.8CVSS
8.4AI Score
0.275EPSS
Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP...
9.8CVSS
9.5AI Score
0.423EPSS
Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP...
8.8CVSS
8.6AI Score
0.042EPSS
Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in...
5.4CVSS
5.9AI Score
0.004EPSS
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1...
7.2CVSS
7.5AI Score
0.037EPSS
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname...
7.2CVSS
7.5AI Score
0.037EPSS
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch...
7.2CVSS
7.5AI Score
0.037EPSS
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1...
7.2CVSS
7.5AI Score
0.037EPSS
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the...
5.4CVSS
5.5AI Score
0.001EPSS
An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to read local files, as demonstrated by URIs beginning with index.php?xiwindow=./ and config/?xiwindow=../...
6.5CVSS
6.2AI Score
0.001EPSS
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1...
9.8CVSS
9.6AI Score
0.351EPSS
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command...
8.8CVSS
9.1AI Score
0.858EPSS
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to...
8.8CVSS
8.6AI Score
0.51EPSS