VYPR

XI

by Nagios

CVEs (129)

  • CVE-2021-25298HigKEVFeb 15, 2021
    risk 0.78cvss 8.8epss 0.75

    Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can…

  • CVE-2021-25296HigKEVFeb 15, 2021
    risk 0.78cvss 8.8epss 0.72

    Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which…

  • CVE-2019-15949HigKEVSep 5, 2019
    risk 0.78cvss 8.8epss 0.78

    Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is…

  • CVE-2024-24401CriFeb 26, 2024
    risk 0.67cvss 9.8epss 0.46

    SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.

  • CVE-2019-12279CriMay 22, 2019
    risk 0.67cvss 9.8epss 0.04

    Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any…

  • CVE-2025-25535CriMar 26, 2025
    risk 0.64cvss 9.8epss 0.00

    HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request.

  • CVE-2024-24402CriFeb 26, 2024
    risk 0.64cvss 9.8epss 0.03

    An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component.

  • CVE-2021-36366CriSep 28, 2021
    risk 0.64cvss 9.8epss 0.04

    Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.

  • CVE-2021-36365CriSep 28, 2021
    risk 0.64cvss 9.8epss 0.04

    Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.

  • CVE-2021-36364CriSep 28, 2021
    risk 0.64cvss 9.8epss 0.04

    Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.

  • CVE-2021-36363CriSep 28, 2021
    risk 0.64cvss 9.8epss 0.04

    Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.

  • CVE-2020-28900CriMay 24, 2021
    risk 0.64cvss 9.8epss 0.02

    Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh.

  • CVE-2020-15903CriSep 9, 2020
    risk 0.64cvss 9.8epss 0.05

    An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3.

  • CVE-2018-17148CriJun 19, 2019
    risk 0.64cvss 9.8epss 0.04

    An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials.

  • CVE-2019-9165CriMar 28, 2019
    risk 0.64cvss 9.8epss 0.05

    SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.

  • CVE-2018-15711HigNov 14, 2018
    risk 0.60cvss 8.8epss 0.36

    Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges.

  • CVE-2020-15901HigJul 22, 2020
    risk 0.59cvss 8.8epss 0.22

    In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys.

  • CVE-2019-20197HigDec 31, 2019
    risk 0.59cvss 8.8epss 0.22

    In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.

  • CVE-2020-24899HigFeb 15, 2021
    risk 0.58cvss 8.8epss 0.13

    Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query.

  • CVE-2018-15710HigNov 14, 2018
    risk 0.57cvss 7.8epss 0.44

    Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.

Page 1 of 7