Nagios
by Nagios
Source repositories
CVEs (124)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-38249 | 0.03 | — | 0.02 | Sep 7, 2022 | Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the MTR component in version 1.0.4. | |||
| CVE-2022-38251 | 0.03 | — | 0.02 | Sep 7, 2022 | Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Performance Settings page under the Admin panel. | |||
| CVE-2022-38254 | 0.03 | — | 0.02 | Sep 7, 2022 | Nagios XI before v5.8.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the ajax.php script in CCM 3.1.5. | |||
| CVE-2021-33177 | 0.03 | — | 0.10 | Oct 14, 2021 | The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries. | |||
| CVE-2021-37350 | 0.03 | — | 0.79 | Aug 13, 2021 | Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation. | |||
| CVE-2020-15901 | 0.03 | — | 0.22 | Jul 22, 2020 | In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys. | |||
| CVE-2020-15902 | 0.03 | — | 0.35 | Jul 22, 2020 | Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option. | |||
| CVE-2019-20197 | 0.03 | — | 0.22 | Dec 31, 2019 | In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account. | |||
| CVE-2019-9202 | 0.03 | — | 0.24 | Mar 28, 2019 | Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated users to execute arbitrary code via API key issues. | |||
| CVE-2014-4703 | 0.03 | — | 0.01 | Dec 5, 2014 | lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain sensitive information via a symlink attack on the configuration file in the extra-opts flag. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4701. | |||
| CVE-2024-24402 | 0.02 | — | 0.03 | Feb 26, 2024 | An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component. | |||
| CVE-2021-3273 | 0.02 | — | 0.06 | Feb 25, 2021 | Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. To exploit this vulnerability, someone must have an admin user account in Nagios XI's web system. | |||
| CVE-2021-3193 | 0.02 | — | 0.10 | Jan 22, 2021 | Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user. | |||
| CVE-2020-10821 | 0.02 | — | 0.74 | Mar 22, 2020 | Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter. | |||
| CVE-2018-15712 | 0.02 | — | 0.49 | Nov 14, 2018 | Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in api_tool.php. | |||
| CVE-2018-15711 | 0.02 | — | 0.36 | Nov 14, 2018 | Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges. | |||
| CVE-2018-15714 | 0.02 | — | 0.04 | Nov 14, 2018 | Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters. | |||
| CVE-2023-40933 | 0.01 | — | 0.05 | Sep 19, 2023 | A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function. | |||
| CVE-2021-36366 | 0.01 | — | 0.04 | Sep 28, 2021 | Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards. | |||
| CVE-2021-36364 | 0.01 | — | 0.04 | Sep 28, 2021 | Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards. |
- CVE-2022-38249Sep 7, 2022risk 0.03cvss —epss 0.02
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the MTR component in version 1.0.4.
- CVE-2022-38251Sep 7, 2022risk 0.03cvss —epss 0.02
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Performance Settings page under the Admin panel.
- CVE-2022-38254Sep 7, 2022risk 0.03cvss —epss 0.02
Nagios XI before v5.8.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the ajax.php script in CCM 3.1.5.
- CVE-2021-33177Oct 14, 2021risk 0.03cvss —epss 0.10
The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries.
- CVE-2021-37350Aug 13, 2021risk 0.03cvss —epss 0.79
Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.
- CVE-2020-15901Jul 22, 2020risk 0.03cvss —epss 0.22
In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys.
- CVE-2020-15902Jul 22, 2020risk 0.03cvss —epss 0.35
Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option.
- CVE-2019-20197Dec 31, 2019risk 0.03cvss —epss 0.22
In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.
- CVE-2019-9202Mar 28, 2019risk 0.03cvss —epss 0.24
Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated users to execute arbitrary code via API key issues.
- CVE-2014-4703Dec 5, 2014risk 0.03cvss —epss 0.01
lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain sensitive information via a symlink attack on the configuration file in the extra-opts flag. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4701.
- CVE-2024-24402Feb 26, 2024risk 0.02cvss —epss 0.03
An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component.
- CVE-2021-3273Feb 25, 2021risk 0.02cvss —epss 0.06
Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. To exploit this vulnerability, someone must have an admin user account in Nagios XI's web system.
- CVE-2021-3193Jan 22, 2021risk 0.02cvss —epss 0.10
Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user.
- CVE-2020-10821Mar 22, 2020risk 0.02cvss —epss 0.74
Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter.
- CVE-2018-15712Nov 14, 2018risk 0.02cvss —epss 0.49
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in api_tool.php.
- CVE-2018-15711Nov 14, 2018risk 0.02cvss —epss 0.36
Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges.
- CVE-2018-15714Nov 14, 2018risk 0.02cvss —epss 0.04
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters.
- CVE-2023-40933Sep 19, 2023risk 0.01cvss —epss 0.05
A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function.
- CVE-2021-36366Sep 28, 2021risk 0.01cvss —epss 0.04
Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.
- CVE-2021-36364Sep 28, 2021risk 0.01cvss —epss 0.04
Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.
Page 3 of 7