VYPR

XI

by Nagios

CVEs (84)

  • CVE-2020-5791Oct 20, 2020
    Nagios
    XI
    risk 0.10cvss epss 0.88

    Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.

  • CVE-2020-5792Oct 20, 2020
    Nagios
    XI
    risk 0.09cvss epss 0.81

    Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.

  • CVE-2013-6875Nov 26, 2013
    Nagios
    XI
    risk 0.05cvss epss 0.20

    SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php.

  • CVE-2025-34288Dec 16, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file that is writable by a lower‑privileged user. A local attacker with access to the application account can modify this file to introduce malicious code, which is then executed with elevated privileges when the script is run. Successful exploitation results in arbitrary code execution as the root user.

  • CVE-2021-47698Nov 3, 2025
    Nagios
    Nagios Core
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling (escape_string()). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2024-13997Nov 3, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level attacker could execute actions outside the intended security scope of the application, resulting in full control of the operating system.

  • CVE-2024-13998Nov 3, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.01

    Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. CVE-2024-13995 addresses a similar vulnerability with a potentially incomplete fix for the underlying problem in earlier versions.

  • CVE-2024-13992Oct 31, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.01

    Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied input, allowing an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI domain.

  • CVE-2011-10037Oct 30, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.01

    Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of xiwindow variables used to build permalinks in the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2021-47697Oct 30, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via the Views feature URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2018-25121Oct 30, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 5.4.13 are vulnerable to cross-site scripting (XSS) via the Views page of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2013-10074Oct 30, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 2012R2.6 are vulnerable to cross-site scripting (XSS) via the Tools Menu of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2011-10040Oct 30, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the link-handling functions used by status and report pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2016-15051Oct 30, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2011-10038Oct 30, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2021-47695Oct 30, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 5.8.0 are vulnerable to stored cross-site scripting (XSS) via the My Tools page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2016-15053Oct 30, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2016-15052Oct 30, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Menu System of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2020-36866Oct 30, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 5.7.3 are vulnerable to cross-site scripting (XSS) via the Manage Users page of the Admin interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2023-7316Oct 30, 2025
    Nagios
    XI
    risk 0.00cvss epss 0.01

    Nagios XI versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Page 1 of 5