Lucene search
K
Database
Vendors
Products
Timeline
Vulnerabilities
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
NagiosNagios Xi

106 matches found

CVE
CVEadded 2024/02/26 5:15 p.m.8189 views

CVE-2024-24402

An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component.

9.8CVSS6.9AI score0.19075EPSS
CVE
CVEadded 2024/02/26 5:15 p.m.4274 views

CVE-2024-24401

SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.

9.8CVSS8.4AI score0.57847EPSS
CVE
CVEadded 2021/02/15 1:15 p.m.1029 views

CVE-2021-25296

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS comma...

9CVSS8.8AI score0.93482EPSS
CVE
CVEadded 2019/09/05 5:15 p.m.1009 views

CVE-2019-15949

Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a pa...

9CVSS8.8AI score0.8719EPSS
CVE
CVEadded 2021/02/15 1:15 p.m.987 views

CVE-2021-25297

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injec...

9CVSS8.8AI score0.51009EPSS
CVE
CVEadded 2021/02/15 1:15 p.m.971 views

CVE-2021-25298

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command i...

9CVSS8.8AI score0.77096EPSS
CVE
CVEadded 2023/12/14 7:15 a.m.228 views

CVE-2023-48085

Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.

9.8CVSS9.8AI score0.71871EPSS
CVE
CVEadded 2018/11/14 6:29 p.m.169 views

CVE-2018-15708

Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.

9.8CVSS9.5AI score0.92041EPSS
CVE
CVEadded 2021/01/13 9:15 p.m.147 views

CVE-2020-35578

An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.

9CVSS6.8AI score0.90441EPSS
CVE
CVEadded 2020/10/20 10:15 p.m.146 views

CVE-2020-5791

Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.

9CVSS7AI score0.91261EPSS
CVE
CVEadded 2018/11/14 6:29 p.m.143 views

CVE-2018-15710

Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.

7.8CVSS8.3AI score0.78984EPSS
CVE
CVEadded 2021/08/13 12:15 p.m.113 views

CVE-2021-37350

Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.

9.8CVSS9.7AI score0.53972EPSS
CVE
CVEadded 2024/10/14 7:15 p.m.99 views

CVE-2023-48082

Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate.

9.1CVSS9.4AI score0.06759EPSS
CVE
CVEadded 2019/06/19 6:15 p.m.86 views

CVE-2018-17148

An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials.

9.8CVSS9.5AI score0.00356EPSS
CVE
CVEadded 2023/09/19 11:15 p.m.85 views

CVE-2023-40931

A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php

6.5CVSS7AI score0.88021EPSS
CVE
CVEadded 2021/02/15 1:15 p.m.84 views

CVE-2021-25299

Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session...

6.1CVSS6.8AI score0.7993EPSS
CVE
CVEadded 2023/12/14 7:15 a.m.81 views

CVE-2023-48084

Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.

9.8CVSS9.7AI score0.86816EPSS
CVE
CVEadded 2018/04/18 12:29 a.m.80 views

CVE-2018-8736

A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.

9CVSS8.6AI score0.67977EPSS
CVE
CVEadded 2020/11/16 3:15 a.m.79 views

CVE-2020-28648

Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.

9CVSS8.6AI score0.13906EPSS
CVE
CVEadded 2018/04/18 12:29 a.m.77 views

CVE-2018-8735

Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.

9CVSS9.1AI score0.76531EPSS
CVE
CVEadded 2021/08/13 12:15 p.m.77 views

CVE-2021-37343

A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.

8.8CVSS8.4AI score0.80419EPSS
CVE
CVEadded 2019/05/22 4:29 p.m.72 views

CVE-2019-12279

Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that ...

9.8CVSS9.8AI score0.25399EPSS
CVE
CVEadded 2018/04/18 12:29 a.m.71 views

CVE-2018-8733

Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.

9.8CVSS9.4AI score0.79722EPSS
CVE
CVEadded 2018/05/16 1:29 p.m.70 views

CVE-2018-10737

A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.

7.2CVSS7.5AI score0.83567EPSS
CVE
CVEadded 2018/04/18 12:29 a.m.69 views

CVE-2018-8734

SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.

9.8CVSS9.6AI score0.78955EPSS
CVE
CVEadded 2019/06/19 6:15 p.m.68 views

CVE-2018-17146

A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page.

5.4CVSS5.4AI score0.06357EPSS
CVE
CVEadded 2020/10/20 10:15 p.m.68 views

CVE-2020-5792

Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.

7.2CVSS7.2AI score0.8701EPSS
CVE
CVEadded 2023/09/19 11:15 p.m.68 views

CVE-2023-40933

A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function.

8.8CVSS8.9AI score0.18513EPSS
CVE
CVEadded 2020/03/22 8:15 p.m.66 views

CVE-2020-10821

Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter.

4.8CVSS5.1AI score0.24173EPSS
CVE
CVEadded 2021/02/15 6:15 p.m.66 views

CVE-2020-24899

Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query.

8.8CVSS9AI score0.04923EPSS
CVE
CVEadded 2018/05/16 1:29 p.m.65 views

CVE-2018-10736

A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.

7.2CVSS7.5AI score0.83567EPSS
CVE
CVEadded 2022/06/29 1:15 a.m.65 views

CVE-2022-29270

In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address.

4.3CVSS4.8AI score0.00543EPSS
CVE
CVEadded 2019/12/31 7:15 p.m.63 views

CVE-2019-20197

In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.

9CVSS8.9AI score0.43613EPSS
CVE
CVEadded 2022/06/29 1:15 a.m.63 views

CVE-2022-29269

In Nagios XI through 5.8.5, in the schedule report function, an authenticated attacker is able to inject HTML tags that lead to the reformatting/editing of emails from an official email address.

6.5CVSS6.3AI score0.04936EPSS
CVE
CVEadded 2021/08/13 12:15 p.m.62 views

CVE-2021-37347

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.

7.8CVSS8.2AI score0.00085EPSS
CVE
CVEadded 2021/08/13 12:15 p.m.61 views

CVE-2021-37349

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitise input read from the database.

7.8CVSS8.1AI score0.00161EPSS
CVE
CVEadded 2022/06/29 1:15 a.m.61 views

CVE-2022-29272

In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.

6.1CVSS6.1AI score0.04126EPSS
CVE
CVEadded 2020/07/22 10:15 p.m.59 views

CVE-2020-15901

In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys.

8.8CVSS9AI score0.17749EPSS
CVE
CVEadded 2021/08/13 12:15 p.m.58 views

CVE-2021-37348

Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.

7.5CVSS7.8AI score0.11694EPSS
CVE
CVEadded 2021/08/13 12:15 p.m.58 views

CVE-2021-37352

An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link.

6.1CVSS6.7AI score0.03248EPSS
CVE
CVEadded 2022/09/07 10:15 p.m.58 views

CVE-2022-38250

Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerability via the mib_name parameter at the Manage MIBs page.

9.8CVSS9.8AI score0.04377EPSS
CVE
CVEadded 2024/05/01 1:15 p.m.58 views

CVE-2024-33775

An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet.

9.8CVSS6.9AI score0.03376EPSS
CVE
CVEadded 2020/03/22 8:15 p.m.57 views

CVE-2020-10820

Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter.

4.8CVSS5.2AI score0.04489EPSS
CVE
CVEadded 2020/07/22 10:15 p.m.57 views

CVE-2020-15902

Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option.

6.1CVSS5.9AI score0.68611EPSS
CVE
CVEadded 2021/06/07 10:15 p.m.57 views

CVE-2021-3277

Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbitrary files due to improper validation of the rename functionality in custom-includes component, which leads to remote code execution by uploading php files.

7.2CVSS7.4AI score0.32138EPSS
CVE
CVEadded 2020/03/22 8:15 p.m.56 views

CVE-2020-10819

Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter.

4.8CVSS4.9AI score0.24173EPSS
CVE
CVEadded 2020/10/20 10:15 p.m.56 views

CVE-2020-5790

Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.

6.5CVSS6.4AI score0.04873EPSS
CVE
CVEadded 2021/08/13 12:15 p.m.56 views

CVE-2021-37351

Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.

5.3CVSS6.3AI score0.00583EPSS
CVE
CVEadded 2018/05/16 1:29 p.m.55 views

CVE-2018-10738

A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.

7.2CVSS7.5AI score0.83567EPSS
CVE
CVEadded 2019/03/28 8:29 p.m.55 views

CVE-2019-9166

Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php.

7.8CVSS8.2AI score0.00047EPSS
Total number of security vulnerabilities106