Nagios Security Vulnerabilities
NagiosXI 5.6.11 is affected by a remote code execution (RCE) vulnerability. An authenticated nagiosadmin user can inject additional commands into a request. NOTE: the vendor disputes whether the CVE and its references are actionable because all technical details are omitted, and the only option is....
7.2CVSS
7.4AI Score
0.003EPSS
Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her...
6.1CVSS
6.8AI Score
0.964EPSS
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS...
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command...
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command.....
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user...
5.3CVSS
5.3AI Score
0.002EPSS
6.1CVSS
6.2AI Score
0.004EPSS
Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache...
9.8CVSS
9.8AI Score
0.002EPSS
An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system...
7.2CVSS
6.8AI Score
0.943EPSS
Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding – deleting for hosts or...
8.8CVSS
8.7AI Score
0.001EPSS
5.4CVSS
5.2AI Score
0.036EPSS
5.4CVSS
5.2AI Score
0.036EPSS
5.4CVSS
5.2AI Score
0.036EPSS
5.4CVSS
5.2AI Score
0.036EPSS
Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote...
8.8CVSS
8.6AI Score
0.165EPSS
Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticated user to weaken the permissions of files, resulting in low-privileged users being able to write to and execute arbitrary PHP code with root...
7.8CVSS
7.8AI Score
0.001EPSS
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache...
7.2CVSS
7.2AI Score
0.376EPSS
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache...
7.2CVSS
7AI Score
0.861EPSS
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted...
6.5CVSS
6.4AI Score
0.001EPSS
An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version...
9.8CVSS
9.5AI Score
0.002EPSS
In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via...
8.8CVSS
9AI Score
0.07EPSS
6.1CVSS
5.9AI Score
0.01EPSS
HP nagios plugin for iLO (nagios-plugins-hpilo v1.50 and earlier) has a php code injection...
9.8CVSS
9.6AI Score
0.002EPSS
Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been...
4.9CVSS
6.6AI Score
0.03EPSS
4.8CVSS
5.1AI Score
0.052EPSS
Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username...
4.8CVSS
4.9AI Score
0.052EPSS
Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password...
4.8CVSS
5.2AI Score
0.052EPSS
6.5CVSS
6.5AI Score
0.001EPSS
8.8CVSS
8.6AI Score
0.002EPSS
Nagios Log Server 2.1.3 allows XSS by visiting /profile and entering a crafted name field that is mishandled on the /admin/users page. Any malicious user with limited access can store an XSS payload in his Name. When any admin views this, the XSS is...
5.4CVSS
5.1AI Score
0.007EPSS
UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE...
7CVSS
6.7AI Score
0.001EPSS
In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user...
8.8CVSS
8.9AI Score
0.011EPSS
In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin...
5.4CVSS
5.1AI Score
0.056EPSS
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a...
4.8CVSS
4.8AI Score
0.002EPSS
An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential...
9.8CVSS
9.5AI Score
0.006EPSS
A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management...
5.4CVSS
5.4AI Score
0.002EPSS
Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that....
9.8CVSS
9.8AI Score
0.014EPSS
Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow...
6.1CVSS
6AI Score
0.123EPSS
Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and...
7.8CVSS
8.2AI Score
0.001EPSS
SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user...
9.8CVSS
9.9AI Score
0.017EPSS
Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery...
8.8CVSS
8.9AI Score
0.086EPSS
An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS...
6.1CVSS
5.9AI Score
0.002EPSS
An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS...
6.1CVSS
5.9AI Score
0.002EPSS
Nagios Core 4.4.2 has XSS via the alert summary reports of plugin results, as demonstrated by a SCRIPT element delivered by a modified check_load plugin to...
5.4CVSS
5.5AI Score
0.001EPSS
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via...
7.8CVSS
8.3AI Score
0.058EPSS
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in...
6.1CVSS
6.4AI Score
0.282EPSS
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2...
6.1CVSS
6.8AI Score
0.282EPSS
Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated...
8.8CVSS
8.4AI Score
0.275EPSS
Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP...
9.8CVSS
9.5AI Score
0.423EPSS