VYPR

Nagios

by Nagios

Source repositories

CVEs (124)

  • CVE-2021-37343Aug 13, 2021
    risk 0.10cvss epss 0.24

    A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.

  • CVE-2020-35578Jan 13, 2021
    risk 0.10cvss epss 0.82

    An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.

  • CVE-2020-5791Oct 20, 2020
    risk 0.10cvss epss 0.79

    Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.

  • CVE-2018-15708Nov 14, 2018
    risk 0.10cvss epss 0.89

    Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.

  • CVE-2009-2288Jul 1, 2009
    risk 0.10cvss epss 0.83

    statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters.

  • CVE-2020-5792Oct 20, 2020
    risk 0.09cvss epss 0.61

    Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.

  • CVE-2018-15710Nov 14, 2018
    risk 0.09cvss epss 0.44

    Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.

  • CVE-2013-7108Jan 15, 2014
    risk 0.08cvss epss 0.60

    Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in…

  • CVE-2012-6096Jan 22, 2013
    risk 0.08cvss epss 0.66

    Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host…

  • CVE-2023-48084Dec 14, 2023
    risk 0.07cvss epss 0.34

    Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.

  • CVE-2023-40931Sep 19, 2023
    risk 0.07cvss epss 0.13

    A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php

  • CVE-2021-40344Oct 26, 2021
    risk 0.06cvss epss 0.66

    An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote…

  • CVE-2021-40345Oct 26, 2021
    risk 0.06cvss epss 0.23

    An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.

  • CVE-2021-33179Oct 14, 2021
    risk 0.05cvss epss 0.04

    The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload.

  • CVE-2019-9164Mar 28, 2019
    risk 0.05cvss epss 0.46

    Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job.

  • CVE-2011-2179Jun 14, 2011
    risk 0.05cvss epss 0.26

    Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action.

  • CVE-2022-38250Sep 7, 2022
    risk 0.04cvss epss 0.02

    Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerability via the mib_name parameter at the Manage MIBs page.

  • CVE-2019-12279May 22, 2019
    risk 0.04cvss epss 0.04

    Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any…

  • CVE-2024-24401Feb 26, 2024
    risk 0.03cvss epss 0.46

    SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.

  • CVE-2022-38247Sep 7, 2022
    risk 0.03cvss epss 0.02

    Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Settings page under the Admin panel.

Page 2 of 7