Nagios
by Nagios
Source repositories
CVEs (124)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-37343 | 0.10 | — | 0.24 | Aug 13, 2021 | A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios. | |||
| CVE-2020-35578 | 0.10 | — | 0.82 | Jan 13, 2021 | An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands. | |||
| CVE-2020-5791 | 0.10 | — | 0.79 | Oct 20, 2020 | Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user. | |||
| CVE-2018-15708 | 0.10 | — | 0.89 | Nov 14, 2018 | Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request. | |||
| CVE-2009-2288 | 0.10 | — | 0.83 | Jul 1, 2009 | statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters. | |||
| CVE-2020-5792 | 0.09 | — | 0.61 | Oct 20, 2020 | Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user. | |||
| CVE-2018-15710 | 0.09 | — | 0.44 | Nov 14, 2018 | Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php. | |||
| CVE-2013-7108 | 0.08 | — | 0.60 | Jan 15, 2014 | Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in… | |||
| CVE-2012-6096 | 0.08 | — | 0.66 | Jan 22, 2013 | Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host… | |||
| CVE-2023-48084 | 0.07 | — | 0.34 | Dec 14, 2023 | Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool. | |||
| CVE-2023-40931 | 0.07 | — | 0.13 | Sep 19, 2023 | A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php | |||
| CVE-2021-40344 | 0.06 | — | 0.66 | Oct 26, 2021 | An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote… | |||
| CVE-2021-40345 | 0.06 | — | 0.23 | Oct 26, 2021 | An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands. | |||
| CVE-2021-33179 | 0.05 | — | 0.04 | Oct 14, 2021 | The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload. | |||
| CVE-2019-9164 | 0.05 | — | 0.46 | Mar 28, 2019 | Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job. | |||
| CVE-2011-2179 | 0.05 | — | 0.26 | Jun 14, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action. | |||
| CVE-2022-38250 | 0.04 | — | 0.02 | Sep 7, 2022 | Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerability via the mib_name parameter at the Manage MIBs page. | |||
| CVE-2019-12279 | 0.04 | — | 0.04 | May 22, 2019 | Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any… | |||
| CVE-2024-24401 | 0.03 | — | 0.46 | Feb 26, 2024 | SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component. | |||
| CVE-2022-38247 | 0.03 | — | 0.02 | Sep 7, 2022 | Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Settings page under the Admin panel. |
- CVE-2021-37343Aug 13, 2021risk 0.10cvss —epss 0.24
A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.
- CVE-2020-35578Jan 13, 2021risk 0.10cvss —epss 0.82
An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.
- CVE-2020-5791Oct 20, 2020risk 0.10cvss —epss 0.79
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
- CVE-2018-15708Nov 14, 2018risk 0.10cvss —epss 0.89
Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.
- CVE-2009-2288Jul 1, 2009risk 0.10cvss —epss 0.83
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters.
- CVE-2020-5792Oct 20, 2020risk 0.09cvss —epss 0.61
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
- CVE-2018-15710Nov 14, 2018risk 0.09cvss —epss 0.44
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.
- CVE-2013-7108Jan 15, 2014risk 0.08cvss —epss 0.60
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in…
- CVE-2012-6096Jan 22, 2013risk 0.08cvss —epss 0.66
Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host…
- CVE-2023-48084Dec 14, 2023risk 0.07cvss —epss 0.34
Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.
- CVE-2023-40931Sep 19, 2023risk 0.07cvss —epss 0.13
A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php
- CVE-2021-40344Oct 26, 2021risk 0.06cvss —epss 0.66
An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote…
- CVE-2021-40345Oct 26, 2021risk 0.06cvss —epss 0.23
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.
- CVE-2021-33179Oct 14, 2021risk 0.05cvss —epss 0.04
The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload.
- CVE-2019-9164Mar 28, 2019risk 0.05cvss —epss 0.46
Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job.
- CVE-2011-2179Jun 14, 2011risk 0.05cvss —epss 0.26
Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action.
- CVE-2022-38250Sep 7, 2022risk 0.04cvss —epss 0.02
Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerability via the mib_name parameter at the Manage MIBs page.
- CVE-2019-12279May 22, 2019risk 0.04cvss —epss 0.04
Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any…
- CVE-2024-24401Feb 26, 2024risk 0.03cvss —epss 0.46
SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.
- CVE-2022-38247Sep 7, 2022risk 0.03cvss —epss 0.02
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Settings page under the Admin panel.
Page 2 of 7