Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Nagios_xi
(Nagios)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 103 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-05-22 | CVE-2019-12279 | Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that can be done with the variable provided, and while the username value being passed does get used in a SQL query, it is passed through SQL escaping functions when creating the call. The vendor tried... | Nagios_xi | 9.8 | ||
| 2019-03-28 | CVE-2019-9164 | Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job. | Nagios_xi | 8.8 | ||
| 2019-03-28 | CVE-2019-9165 | SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id. | Nagios_xi | 9.8 | ||
| 2019-03-28 | CVE-2019-9166 | Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php. | Nagios_xi | 7.8 | ||
| 2019-03-28 | CVE-2019-9167 | Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter. | Nagios_xi | 6.1 | ||
| 2018-04-30 | CVE-2018-10554 | An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter. | Nagios_xi | 5.4 | ||
| 2020-03-22 | CVE-2020-10821 | Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter. | Nagios_xi | N/A | ||
| 2020-03-22 | CVE-2020-10820 | Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter. | Nagios_xi | N/A | ||
| 2020-03-22 | CVE-2020-10819 | Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter. | Nagios_xi | N/A | ||
| 2019-12-31 | CVE-2019-20197 | In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account. | Nagios_xi | N/A |