Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Nagios_xi
(Nagios)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 103 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-02-15 | CVE-2021-25298 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. | Nagios_xi | 8.8 | ||
| 2019-09-05 | CVE-2019-15949 | Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can... | Nagios_xi | 8.8 | ||
| 2024-02-26 | CVE-2024-24402 | An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component. | Nagios_xi | 9.8 | ||
| 2020-07-22 | CVE-2020-15901 | In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys. | Nagios_xi | 8.8 | ||
| 2020-07-22 | CVE-2020-15902 | Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option. | Nagios_xi | 6.1 | ||
| 2020-09-09 | CVE-2020-15903 | An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3. | Nagios_xi | 9.8 | ||
| 2020-10-20 | CVE-2020-5790 | Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | Nagios_xi | 6.5 | ||
| 2020-10-20 | CVE-2020-5791 | Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user. | Nagios_xi | 7.2 | ||
| 2020-10-20 | CVE-2020-5792 | Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user. | Nagios_xi | 7.2 | ||
| 2020-11-13 | CVE-2020-5796 | Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticated user to weaken the permissions of files, resulting in low-privileged users being able to write to and execute arbitrary PHP code with root privileges. | Nagios_xi | 7.8 |