XI
by Nagios
CVEs (129)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-25298 | Hig | 0.78 | 8.8 | 0.75 | KEV | Feb 15, 2021 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can… | |
| CVE-2021-25296 | Hig | 0.78 | 8.8 | 0.72 | KEV | Feb 15, 2021 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which… | |
| CVE-2019-15949 | Hig | 0.78 | 8.8 | 0.78 | KEV | Sep 5, 2019 | Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is… | |
| CVE-2024-24401 | Cri | 0.67 | 9.8 | 0.46 | Feb 26, 2024 | SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component. | ||
| CVE-2019-12279 | Cri | 0.67 | 9.8 | 0.04 | May 22, 2019 | Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any… | ||
| CVE-2025-25535 | Cri | 0.64 | 9.8 | 0.00 | Mar 26, 2025 | HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request. | ||
| CVE-2024-24402 | Cri | 0.64 | 9.8 | 0.03 | Feb 26, 2024 | An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component. | ||
| CVE-2021-36366 | Cri | 0.64 | 9.8 | 0.04 | Sep 28, 2021 | Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards. | ||
| CVE-2021-36365 | Cri | 0.64 | 9.8 | 0.04 | Sep 28, 2021 | Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh. | ||
| CVE-2021-36364 | Cri | 0.64 | 9.8 | 0.04 | Sep 28, 2021 | Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards. | ||
| CVE-2021-36363 | Cri | 0.64 | 9.8 | 0.04 | Sep 28, 2021 | Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php. | ||
| CVE-2020-28900 | Cri | 0.64 | 9.8 | 0.02 | May 24, 2021 | Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh. | ||
| CVE-2020-15903 | Cri | 0.64 | 9.8 | 0.05 | Sep 9, 2020 | An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3. | ||
| CVE-2018-17148 | Cri | 0.64 | 9.8 | 0.04 | Jun 19, 2019 | An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials. | ||
| CVE-2019-9165 | Cri | 0.64 | 9.8 | 0.05 | Mar 28, 2019 | SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id. | ||
| CVE-2018-15711 | Hig | 0.60 | 8.8 | 0.36 | Nov 14, 2018 | Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges. | ||
| CVE-2020-15901 | Hig | 0.59 | 8.8 | 0.22 | Jul 22, 2020 | In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys. | ||
| CVE-2019-20197 | Hig | 0.59 | 8.8 | 0.22 | Dec 31, 2019 | In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account. | ||
| CVE-2020-24899 | Hig | 0.58 | 8.8 | 0.13 | Feb 15, 2021 | Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query. | ||
| CVE-2018-15710 | Hig | 0.57 | 7.8 | 0.44 | Nov 14, 2018 | Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php. |
- risk 0.78cvss 8.8epss 0.75
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can…
- risk 0.78cvss 8.8epss 0.72
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which…
- risk 0.78cvss 8.8epss 0.78
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is…
- risk 0.67cvss 9.8epss 0.46
SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.
- risk 0.67cvss 9.8epss 0.04
Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any…
- risk 0.64cvss 9.8epss 0.00
HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request.
- risk 0.64cvss 9.8epss 0.03
An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component.
- risk 0.64cvss 9.8epss 0.04
Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.
- risk 0.64cvss 9.8epss 0.04
Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.
- risk 0.64cvss 9.8epss 0.04
Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.
- risk 0.64cvss 9.8epss 0.04
Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.
- risk 0.64cvss 9.8epss 0.02
Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh.
- risk 0.64cvss 9.8epss 0.05
An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3.
- risk 0.64cvss 9.8epss 0.04
An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials.
- risk 0.64cvss 9.8epss 0.05
SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.
- risk 0.60cvss 8.8epss 0.36
Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges.
- risk 0.59cvss 8.8epss 0.22
In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys.
- risk 0.59cvss 8.8epss 0.22
In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.
- risk 0.58cvss 8.8epss 0.13
Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query.
- risk 0.57cvss 7.8epss 0.44
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.
Page 1 of 7