Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Nagios_xi
(Nagios)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 106 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-09-19 | CVE-2023-40934 | A SQL injection vulnerability in Nagios XI 5.11.1 and below allows authenticated attackers with privileges to manage host escalations in the Core Configuration Manager to execute arbitrary SQL commands via the host escalation notification settings. | Nagios_xi | 7.2 | ||
| 2023-12-14 | CVE-2023-48084 | Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool. | Nagios_xi | 9.8 | ||
| 2019-05-22 | CVE-2019-12279 | Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that can be done with the variable provided, and while the username value being passed does get used in a SQL query, it is passed through SQL escaping functions when creating the call. The vendor tried... | Nagios_xi | 9.8 | ||
| 2019-03-28 | CVE-2019-9164 | Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job. | Nagios_xi | 8.8 | ||
| 2019-03-28 | CVE-2019-9165 | SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id. | Nagios_xi | 9.8 | ||
| 2019-03-28 | CVE-2019-9166 | Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php. | Nagios_xi | 7.8 | ||
| 2019-03-28 | CVE-2019-9167 | Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter. | Nagios_xi | 6.1 | ||
| 2018-04-30 | CVE-2018-10554 | An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter. | Nagios_xi | 5.4 | ||
| 2020-03-22 | CVE-2020-10821 | Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter. | Nagios_xi | N/A | ||
| 2020-03-22 | CVE-2020-10820 | Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter. | Nagios_xi | N/A |