XI
by Nagios
CVEs (129)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-5791 | Hig | 0.56 | 7.2 | 0.79 | Oct 20, 2020 | Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user. | ||
| CVE-2020-5792 | Hig | 0.55 | 7.2 | 0.61 | Oct 20, 2020 | Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user. | ||
| CVE-2021-37347 | Hig | 0.51 | 7.8 | 0.01 | Aug 13, 2021 | Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument. | ||
| CVE-2020-5796 | Hig | 0.51 | 7.8 | 0.02 | Nov 13, 2020 | Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticated user to weaken the permissions of files, resulting in low-privileged users being able to write to and execute arbitrary PHP code with root privileges. | ||
| CVE-2018-10738 | Hig | 0.50 | 7.2 | 0.43 | May 16, 2018 | A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter. | ||
| CVE-2018-10737 | Hig | 0.50 | 7.2 | 0.43 | May 16, 2018 | A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter. | ||
| CVE-2018-10735 | Hig | 0.50 | 7.2 | 0.43 | May 16, 2018 | A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter. | ||
| CVE-2021-40345 | Hig | 0.49 | 7.2 | 0.23 | Oct 26, 2021 | An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands. | ||
| CVE-2018-10553 | Med | 0.45 | 6.5 | 0.39 | Apr 30, 2018 | An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to read local files, as demonstrated by URIs beginning with index.php?xiwindow=./ and config/?xiwindow=../ substrings. | ||
| CVE-2024-54961 | Med | 0.42 | 6.5 | 0.02 | Feb 20, 2025 | Nagios XI 2024R1.2.2 has an Information Disclosure vulnerability, which allows unauthenticated users to access multiple pages displaying the usernames and email addresses of all current users. | ||
| CVE-2024-54960 | Med | 0.42 | 6.5 | 0.01 | Feb 20, 2025 | A SQL Injection vulnerability in Nagios XI 2024R1.2.2 allows a remote attacker to execute SQL injection via a crafted payload in the History Tab component. | ||
| CVE-2022-29269 | Med | 0.42 | 6.5 | 0.03 | Jun 29, 2022 | In Nagios XI through 5.8.5, in the schedule report function, an authenticated attacker is able to inject HTML tags that lead to the reformatting/editing of emails from an official email address. | ||
| CVE-2021-38156 | Med | 0.42 | 5.4 | 0.89 | Sep 15, 2021 | In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard. | ||
| CVE-2021-26023 | Med | 0.42 | 6.1 | 0.25 | Feb 3, 2021 | The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to XSS. | ||
| CVE-2020-27988 | Med | 0.42 | 5.4 | 0.85 | Nov 16, 2020 | Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field). | ||
| CVE-2020-5790 | Med | 0.42 | 6.5 | 0.02 | Oct 20, 2020 | Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | ||
| CVE-2024-54957 | Med | 0.40 | 6.1 | 0.01 | Feb 27, 2025 | Nagios XI 2024R1.2.2 is vulnerable to an open redirect flaw on the Tools page, exploitable by users with read-only permissions. This vulnerability allows an attacker to craft a malicious link that redirects users to an arbitrary external URL without their consent. | ||
| CVE-2024-54959 | Med | 0.40 | 6.1 | 0.01 | Feb 20, 2025 | Nagios XI 2024R1.2.2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack through the Favorites component, enabling POST-based Cross-Site Scripting (XSS). | ||
| CVE-2024-54958 | Med | 0.40 | 6.1 | 0.01 | Feb 20, 2025 | Nagios XI 2024R1.2.2 is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the Tools page. This flaw allows an attacker to inject malicious scripts into the Tools interface, which are then stored and executed in the context of other users accessing the page. | ||
| CVE-2020-23992 | Med | 0.40 | 6.1 | 0.02 | Aug 22, 2023 | Cross Site Scripting (XSS) in Nagios XI 5.7.1 allows remote attackers to run arbitrary code via returnUrl parameter in a crafted GET request. |
- risk 0.56cvss 7.2epss 0.79
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
- risk 0.55cvss 7.2epss 0.61
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
- risk 0.51cvss 7.8epss 0.01
Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.
- risk 0.51cvss 7.8epss 0.02
Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticated user to weaken the permissions of files, resulting in low-privileged users being able to write to and execute arbitrary PHP code with root privileges.
- risk 0.50cvss 7.2epss 0.43
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.
- risk 0.50cvss 7.2epss 0.43
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.
- risk 0.50cvss 7.2epss 0.43
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.
- risk 0.49cvss 7.2epss 0.23
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.
- risk 0.45cvss 6.5epss 0.39
An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to read local files, as demonstrated by URIs beginning with index.php?xiwindow=./ and config/?xiwindow=../ substrings.
- risk 0.42cvss 6.5epss 0.02
Nagios XI 2024R1.2.2 has an Information Disclosure vulnerability, which allows unauthenticated users to access multiple pages displaying the usernames and email addresses of all current users.
- risk 0.42cvss 6.5epss 0.01
A SQL Injection vulnerability in Nagios XI 2024R1.2.2 allows a remote attacker to execute SQL injection via a crafted payload in the History Tab component.
- risk 0.42cvss 6.5epss 0.03
In Nagios XI through 5.8.5, in the schedule report function, an authenticated attacker is able to inject HTML tags that lead to the reformatting/editing of emails from an official email address.
- risk 0.42cvss 5.4epss 0.89
In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.
- risk 0.42cvss 6.1epss 0.25
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to XSS.
- risk 0.42cvss 5.4epss 0.85
Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field).
- risk 0.42cvss 6.5epss 0.02
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
- risk 0.40cvss 6.1epss 0.01
Nagios XI 2024R1.2.2 is vulnerable to an open redirect flaw on the Tools page, exploitable by users with read-only permissions. This vulnerability allows an attacker to craft a malicious link that redirects users to an arbitrary external URL without their consent.
- risk 0.40cvss 6.1epss 0.01
Nagios XI 2024R1.2.2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack through the Favorites component, enabling POST-based Cross-Site Scripting (XSS).
- risk 0.40cvss 6.1epss 0.01
Nagios XI 2024R1.2.2 is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the Tools page. This flaw allows an attacker to inject malicious scripts into the Tools interface, which are then stored and executed in the context of other users accessing the page.
- risk 0.40cvss 6.1epss 0.02
Cross Site Scripting (XSS) in Nagios XI 5.7.1 allows remote attackers to run arbitrary code via returnUrl parameter in a crafted GET request.
Page 2 of 7