Latest nagios nagios xi Vulnerabilities

CVE-2023-51072
A stored cross-site scripting (XSS) vulnerability in the NOC component of Nagios XI version up to and including 2024R1 allows low-privileged users to execute malicious HTML or JavaScript code via the ...
Nagios Nagios XI<2024
Nagios Nagios XI=2024-r1
CVE-2023-48084
Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.
Nagios Nagios XI<5.11.3
CVE-2023-48085
Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.
Nagios Nagios XI<5.11.3
CVE-2023-40932
A Cross-site scripting (XSS) vulnerability in Nagios XI version 5.11.1 and below allows authenticated attackers with access to the custom logo component to inject arbitrary javascript or HTML via the ...
Nagios Nagios XI<5.11.2
CVE-2023-40933
A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sen...
Nagios Nagios XI<5.11.2
CVE-2023-40934
A SQL injection vulnerability in Nagios XI 5.11.1 and below allows authenticated attackers with privileges to manage host escalations in the Core Configuration Manager to execute arbitrary SQL command...
Nagios Nagios XI<5.11.2
CVE-2023-40931
A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /...
Nagios Nagios XI>=5.11.0<5.11.2
CVE-2020-23992
Cross Site Scripting (XSS) in Nagios XI 5.7.1 allows remote attackers to run arbitrary code via returnUrl parameter in a crafted GET request.
Nagios Nagios XI=5.7.1
CVE-2022-38254
Nagios XI before v5.8.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the ajax.php script in CCM 3.1.5.
Nagios Nagios XI<5.8.7
CVE-2022-38247
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Settings page under the Admin panel.
Nagios Nagios XI=5.8.6
CVE-2022-38251
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Performance Settings page under the Admin panel.
Nagios Nagios XI=5.8.6
CVE-2022-38250
Nagios Nagios XI=5.8.6
CVE-2022-38248
Nagios XI before v5.8.7 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at auditlog.php.
Nagios Nagios XI<5.8.7
CVE-2022-38249
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the MTR component in version 1.0.4.
Nagios Nagios XI=5.8.6
CVE-2022-29270
In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address.
Nagios Nagios XI<=5.8.5
CVE-2022-29272
In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.
Nagios Nagios XI<=5.8.5
CVE-2022-29269
In Nagios XI through 5.8.5, in the schedule report function, an authenticated attacker is able to inject HTML tags that lead to the reformatting/editing of emails from an official email address.
Nagios Nagios XI<=5.8.5
CVE-2022-29271
In Nagios XI through 5.8.5, a read-only Nagios user (due to an incorrect permission check) is able to schedule downtime for any host/services. This allows an attacker to permanently disable all monito...
Nagios Nagios XI<=5.8.5
CVE-2021-40344
Nagios Nagios XI=5.8.5
CVE-2021-40343
An issue was discovered in Nagios XI 5.8.5. Insecure file permissions on the nagios_unbundler.py file allow the nagios user to elevate their privileges to the root user.
Nagios Nagios XI=5.8.5
CVE-2021-40345
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the arch...
Nagios Nagios XI=5.8.5
CVE-2021-33179
The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, ...
Nagios Nagios XI<5.8.4
CVE-2021-33177
The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but on...
Nagios Nagios XI<5.8.5
CVE-2021-37223
Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots o...
Nagios Nagios XI<=5.8.4
CVE-2021-36366
Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.
Nagios Nagios XI<5.8.5
CVE-2021-36363
Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.
Nagios Nagios XI<5.8.5
CVE-2021-36364
Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.
Nagios Nagios XI<5.8.5
CVE-2021-36365
Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.
Nagios Nagios XI<5.8.5
CVE-2021-38156
In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.
Nagios Nagios XI<5.8.6
CVE-2021-37345
Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.
Nagios Nagios XI<5.8.5
CVE-2021-37352
An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and co...
Nagios Nagios XI<5.8.5
CVE-2021-37351
Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.
Nagios Nagios XI<5.8.5
CVE-2021-37347
Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.
Nagios Nagios XI<5.8.5
CVE-2021-37349
Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitise input read from the database.
Nagios Nagios XI<5.8.5
CVE-2021-37350
Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.
Nagios Nagios XI<5.8.5
CVE-2021-37348
Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.
Nagios Nagios XI<5.8.5
CVE-2021-37343
A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.
Nagios Nagios XI<5.8.5
CVE-2021-3277
Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbitrary files due to improper validation of the rename functionality in custom-includes component, which leads to remote code execut...
Nagios Nagios XI<=5.7.5
CVE-2020-28906
Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root. Low-privileged users are able to modify files that are included (...
Nagios Fusion<=4.1.8
Nagios Nagios XI<=5.7.5
CVE-2020-28910
Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh.
Nagios Nagios XI<=5.7.5
CVE-2020-28900
Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to a...
Nagios Fusion<=4.1.8
Nagios Nagios XI<=5.7.5
CVE-2021-3273
Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. To exploit this vulnerability, someone must have an admin user account in Nagios XI's web system.
Nagios Nagios XI<5.7
CVE-2020-24899
Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query.
Nagios Nagios XI=5.7.2
CVE-2020-22427
** DISPUTED ** NagiosXI 5.6.11 is affected by a remote code execution (RCE) vulnerability. An authenticated nagiosadmin user can inject additional commands into a request. NOTE: the vendor disputes wh...
Nagios Nagios XI=5.6.11
=5.6.11
CVE-2021-25298
Nagios XI OS Command Injection
Nagios Nagios XI=5.7.5
Nagios Nagios XI
CVE-2021-25297
Nagios XI OS Command Injection
Nagios Nagios XI=5.7.5
CVE-2021-25299
Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled in...
Nagios Nagios XI=5.7.5
CVE-2021-25296
Nagios XI OS Command Injection
Nagios Nagios XI=5.7.5
CVE-2021-26024
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account.
Nagios Favorites<1.0.2
Nagios Nagios XI=5.8.0
CVE-2021-26023
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to XSS.
Nagios Favorites<1.0.2
Nagios Nagios XI=5.8.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203