Nagios Xi Security Vulnerabilities and Issues — Nagios Xi CVE List

Lucene search

NagiosNagios Xi

32 matches found

CVE•added 2024/02/26 5:15 p.m.•8189 views

CVE-2024-24402

An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component.

9.8CVSS6.9AI score0.19075EPSS

CVE•added 2024/02/26 5:15 p.m.•4274 views

CVE-2024-24401

SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.

9.8CVSS8.4AI score0.57847EPSS

CVE•added 2021/02/15 1:15 p.m.•1030 views

CVE-2021-25296

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS comma...

9CVSS8.8AI score0.93482EPSS

CVE•added 2019/09/05 5:15 p.m.•1010 views

CVE-2019-15949

Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a pa...

9CVSS8.8AI score0.8719EPSS

CVE•added 2021/02/15 1:15 p.m.•988 views

CVE-2021-25297

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injec...

9CVSS8.8AI score0.51009EPSS

CVE•added 2021/02/15 1:15 p.m.•972 views

CVE-2021-25298

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command i...

9CVSS8.8AI score0.77096EPSS

CVE•added 2023/12/14 7:15 a.m.•228 views

CVE-2023-48085

Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.

9.8CVSS9.8AI score0.71871EPSS

CVE•added 2018/11/14 6:29 p.m.•169 views

CVE-2018-15708

Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.

9.8CVSS9.5AI score0.92041EPSS

CVE•added 2021/01/13 9:15 p.m.•147 views

CVE-2020-35578

An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.

9CVSS6.8AI score0.90441EPSS

CVE•added 2020/10/20 10:15 p.m.•146 views

CVE-2020-5791

Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.

9CVSS7AI score0.91261EPSS

CVE•added 2021/08/13 12:15 p.m.•113 views

CVE-2021-37350

Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.

9.8CVSS9.7AI score0.53972EPSS

CVE•added 2024/10/14 7:15 p.m.•99 views

CVE-2023-48082

Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate.

9.1CVSS9.4AI score0.06759EPSS

CVE•added 2019/06/19 6:15 p.m.•86 views

CVE-2018-17148

An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials.

9.8CVSS9.5AI score0.00356EPSS

CVE•added 2023/12/14 7:15 a.m.•81 views

CVE-2023-48084

Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.

9.8CVSS9.7AI score0.86816EPSS

CVE•added 2018/04/18 12:29 a.m.•80 views

CVE-2018-8736

A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.

9CVSS8.6AI score0.67977EPSS

CVE•added 2020/11/16 3:15 a.m.•79 views

CVE-2020-28648

Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.

9CVSS8.6AI score0.13906EPSS

CVE•added 2018/04/18 12:29 a.m.•77 views

CVE-2018-8735

Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.

9CVSS9.1AI score0.76531EPSS

CVE•added 2019/05/22 4:29 p.m.•72 views

CVE-2019-12279

Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that ...

9.8CVSS9.8AI score0.25399EPSS

CVE•added 2018/04/18 12:29 a.m.•71 views

CVE-2018-8733

Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.

9.8CVSS9.4AI score0.79722EPSS

CVE•added 2018/04/18 12:29 a.m.•69 views

CVE-2018-8734

SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.

9.8CVSS9.6AI score0.78955EPSS

CVE•added 2019/12/31 7:15 p.m.•63 views

CVE-2019-20197

In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.

9CVSS8.9AI score0.43613EPSS

CVE•added 2022/09/07 10:15 p.m.•58 views

CVE-2022-38250

Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerability via the mib_name parameter at the Manage MIBs page.

9.8CVSS9.8AI score0.04377EPSS

CVE•added 2024/05/01 1:15 p.m.•58 views

CVE-2024-33775

An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet.

9.8CVSS6.9AI score0.03376EPSS

CVE•added 2021/05/24 1:15 p.m.•47 views

CVE-2020-28906

Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root. Low-privileged users are able to modify files that are included (aka sourced) by scripts executed by root.

9CVSS9AI score0.00279EPSS

CVE•added 2021/09/28 5:15 p.m.•45 views

CVE-2021-36365

Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.

9.8CVSS9.5AI score0.00997EPSS

CVE•added 2021/02/25 2:15 p.m.•44 views

CVE-2021-3273

Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. To exploit this vulnerability, someone must have an admin user account in Nagios XI's web system.

9CVSS7.1AI score0.24281EPSS

CVE•added 2021/09/28 5:15 p.m.•43 views

CVE-2021-36363

Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.

9.8CVSS9.5AI score0.00997EPSS

CVE•added 2021/09/28 5:15 p.m.•43 views

CVE-2021-36364

Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.

9.8CVSS9.4AI score0.10899EPSS

CVE•added 2021/10/26 11:15 a.m.•42 views

CVE-2021-40345

An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.

9CVSS7.3AI score0.76499EPSS

CVE•added 2021/01/26 6:16 p.m.•41 views

CVE-2021-3193

Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user.

9.8CVSS9.8AI score0.22602EPSS

CVE•added 2021/09/28 5:15 p.m.•39 views

CVE-2021-36366

Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.

9.8CVSS9.4AI score0.10899EPSS

CVE•added 2019/03/28 7:29 p.m.•37 views

CVE-2019-9165

SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.

9.8CVSS9.9AI score0.06271EPSS