Nagios
by Nagios
Source repositories
CVEs (124)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-8734 | Cri | 0.71 | 9.8 | 0.53 | Apr 18, 2018 | SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter. | ||
| CVE-2018-8733 | Cri | 0.69 | 9.8 | 0.28 | Apr 18, 2018 | Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability. | ||
| CVE-2016-9565 | Cri | 0.69 | 9.8 | 0.23 | Dec 15, 2016 | MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for… | ||
| CVE-2018-8735 | Hig | 0.65 | 8.8 | 0.64 | Apr 18, 2018 | Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection. | ||
| CVE-2012-10029 | Hig | 0.64 | — | 0.03 | Aug 5, 2025 | Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized parameters such as `host`, resulting in remote code execution. | ||
| CVE-2018-8736 | Hig | 0.64 | 8.8 | 0.47 | Apr 18, 2018 | A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root. | ||
| CVE-2016-0726 | Cri | 0.64 | 9.8 | 0.02 | Jun 6, 2017 | The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials. | ||
| CVE-2008-7313 | Cri | 0.64 | 9.8 | 0.05 | Mar 31, 2017 | The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796. | ||
| CVE-2014-5009 | Cri | 0.57 | 9.8 | 0.05 | Mar 31, 2017 | Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008. | ||
| CVE-2016-9566 | Hig | 0.54 | 7.8 | 0.05 | Dec 15, 2016 | base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565. | ||
| CVE-2016-10089 | Hig | 0.51 | 7.8 | 0.01 | Feb 15, 2017 | Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641. | ||
| CVE-2018-10736 | Hig | 0.50 | 7.2 | 0.43 | May 16, 2018 | A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter. | ||
| CVE-2017-12847 | Med | 0.41 | 6.3 | 0.01 | Aug 23, 2017 | Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill… | ||
| CVE-2016-8641 | Med | 0.40 | 6.7 | 0.01 | Aug 1, 2018 | A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and… | ||
| CVE-2016-6209 | Med | 0.40 | 6.1 | 0.02 | Mar 31, 2017 | Cross-site scripting (XSS) vulnerability in Nagios. | ||
| CVE-2018-10554 | Med | 0.35 | 5.4 | 0.03 | Apr 30, 2018 | An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages… | ||
| CVE-2021-25297 | 0.22 | — | 0.43 | KEV | Feb 15, 2021 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead… | ||
| CVE-2021-25296 | 0.22 | — | 0.72 | KEV | Feb 15, 2021 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which… | ||
| CVE-2019-15949 | 0.22 | — | 0.78 | KEV | Sep 5, 2019 | Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is… | ||
| CVE-2021-25298 | 0.21 | — | 0.75 | KEV | Feb 15, 2021 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can… |
- risk 0.71cvss 9.8epss 0.53
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
- risk 0.69cvss 9.8epss 0.28
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.
- risk 0.69cvss 9.8epss 0.23
MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for…
- risk 0.65cvss 8.8epss 0.64
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.
- risk 0.64cvss —epss 0.03
Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized parameters such as `host`, resulting in remote code execution.
- risk 0.64cvss 8.8epss 0.47
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
- risk 0.64cvss 9.8epss 0.02
The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
- risk 0.64cvss 9.8epss 0.05
The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796.
- risk 0.57cvss 9.8epss 0.05
Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008.
- risk 0.54cvss 7.8epss 0.05
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
- risk 0.51cvss 7.8epss 0.01
Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641.
- risk 0.50cvss 7.2epss 0.43
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
- risk 0.41cvss 6.3epss 0.01
Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill…
- risk 0.40cvss 6.7epss 0.01
A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and…
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in Nagios.
- risk 0.35cvss 5.4epss 0.03
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages…
- risk 0.22cvss —epss 0.43
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead…
- risk 0.22cvss —epss 0.72
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which…
- risk 0.22cvss —epss 0.78
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is…
- risk 0.21cvss —epss 0.75
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can…
Page 1 of 7