VYPR

XI

by Nagios

CVEs (129)

  • CVE-2018-15714MedNov 14, 2018
    risk 0.40cvss 6.1epss 0.04

    Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters.

  • CVE-2020-27991MedNov 16, 2020
    risk 0.37cvss 5.4epss 0.22

    Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field).

  • CVE-2019-20139MedDec 30, 2019
    risk 0.37cvss 5.4epss 0.26

    In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user.

  • CVE-2021-26024MedFeb 3, 2021
    risk 0.36cvss 5.3epss 0.19

    The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account.

  • CVE-2024-42898MedJan 9, 2025
    risk 0.35cvss 5.4epss 0.01

    A cross-site scripting (XSS) vulnerability in Nagios XI 2024R1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Account Settings page.

  • CVE-2023-51072MedFeb 2, 2024
    risk 0.35cvss 5.4epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the NOC component of Nagios XI version up to and including 2024R1 allows low-privileged users to execute malicious HTML or JavaScript code via the audio file upload functionality from the Operation Center section. This allows…

  • CVE-2018-17146MedJun 19, 2019
    risk 0.35cvss 5.4epss 0.04

    A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page.

  • CVE-2018-17147MedJul 10, 2019
    risk 0.31cvss 4.8epss 0.03

    Nagios XI before 5.5.4 has XSS in the auto login admin management page.

  • CVE-2022-29270MedJun 29, 2022
    risk 0.28cvss 4.3epss 0.02

    In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address.

  • CVE-2013-6875Nov 26, 2013
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php.

  • CVE-2025-34288Dec 16, 2025
    risk 0.00cvss epss 0.02

    Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file…

  • CVE-2021-47698Nov 3, 2025
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling (escape_string()). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary…

  • CVE-2024-13997Nov 3, 2025
    risk 0.00cvss epss 0.01

    Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level…

  • CVE-2024-13998Nov 3, 2025
    risk 0.00cvss epss 0.01

    Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to…

  • CVE-2024-13992Oct 31, 2025
    risk 0.00cvss epss 0.01

    Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied…

  • CVE-2011-10037Oct 30, 2025
    risk 0.00cvss epss 0.01

    Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of xiwindow variables used to build permalinks in the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute…

  • CVE-2021-47697Oct 30, 2025
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via the Views feature URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2018-25121Oct 30, 2025
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 5.4.13 are vulnerable to cross-site scripting (XSS) via the Views page of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

  • CVE-2013-10074Oct 30, 2025
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 2012R2.6 are vulnerable to cross-site scripting (XSS) via the Tools Menu of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's…

  • CVE-2011-10040Oct 30, 2025
    risk 0.00cvss epss 0.00

    Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the link-handling functions used by status and report pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the…

Page 3 of 7