Vendor CVEs
Nagios
All CVEs
293 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-8734 | Cri | 0.71 | 9.8 | 0.53 | Apr 18, 2018 | SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter. | ||
| CVE-2018-8733 | Cri | 0.69 | 9.8 | 0.28 | Apr 18, 2018 | Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability. | ||
| CVE-2016-9565 | Cri | 0.69 | 9.8 | 0.23 | Dec 15, 2016 | MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for… | ||
| CVE-2018-8735 | Hig | 0.65 | 8.8 | 0.64 | Apr 18, 2018 | Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection. | ||
| CVE-2023-53948 | Cri | 0.64 | 9.8 | 0.01 | Dec 19, 2025 | Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input filtering in the nmap_binary parameter to execute a reverse shell by sending a… | ||
| CVE-2012-10029 | Hig | 0.64 | — | 0.03 | Aug 5, 2025 | Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized parameters such as `host`, resulting in remote code execution. | ||
| CVE-2018-8736 | Hig | 0.64 | 8.8 | 0.47 | Apr 18, 2018 | A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root. | ||
| CVE-2016-0726 | Cri | 0.64 | 9.8 | 0.02 | Jun 6, 2017 | The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials. | ||
| CVE-2008-7313 | Cri | 0.64 | 9.8 | 0.05 | Mar 31, 2017 | The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796. | ||
| CVE-2014-5009 | Cri | 0.57 | 9.8 | 0.05 | Mar 31, 2017 | Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008. | ||
| CVE-2016-9566 | Hig | 0.54 | 7.8 | 0.05 | Dec 15, 2016 | base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565. | ||
| CVE-2017-14312 | Hig | 0.51 | 7.8 | 0.00 | Sep 11, 2017 | Nagios Core through 4.3.4 initially executes /usr/sbin/nagios as root but supports configuration options in which this file is owned by a non-root account (and similarly can have nagios.cfg owned by a non-root account), which allows local users to gain privileges by leveraging… | ||
| CVE-2016-10089 | Hig | 0.51 | 7.8 | 0.01 | Feb 15, 2017 | Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641. | ||
| CVE-2018-10738 | Hig | 0.50 | 7.2 | 0.43 | May 16, 2018 | A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter. | ||
| CVE-2018-10737 | Hig | 0.50 | 7.2 | 0.43 | May 16, 2018 | A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter. | ||
| CVE-2018-10736 | Hig | 0.50 | 7.2 | 0.43 | May 16, 2018 | A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter. | ||
| CVE-2018-10735 | Hig | 0.50 | 7.2 | 0.43 | May 16, 2018 | A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter. | ||
| CVE-2023-37154 | Hig | 0.48 | 8.4 | 0.00 | Oct 9, 2024 | check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has been categorized both as fixed in e8810de, and as intended behavior. | ||
| CVE-2018-10553 | Med | 0.45 | 6.5 | 0.39 | Apr 30, 2018 | An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to read local files, as demonstrated by URIs beginning with index.php?xiwindow=./ and config/?xiwindow=../ substrings. | ||
| CVE-2017-12847 | Med | 0.41 | 6.3 | 0.01 | Aug 23, 2017 | Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill… | ||
| CVE-2025-44002 | Med | 0.40 | 6.1 | 0.00 | Aug 26, 2025 | Race Condition in the Directory Validation Logic in the TeamViewer Full Client and Host prior version 15.69 on Windows allows a local non-admin user to create arbitrary files with SYSTEM privileges, potentially leading to a denial-of-service condition, via symbolic link… | ||
| CVE-2016-8641 | Med | 0.40 | 6.7 | 0.01 | Aug 1, 2018 | A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and… | ||
| CVE-2018-12501 | Med | 0.40 | 6.1 | 0.02 | Jun 16, 2018 | Nagios Fusion before 4.1.4 has XSS, aka TPS#13332-13335. | ||
| CVE-2015-3618 | Med | 0.40 | 6.1 | 0.01 | Feb 6, 2018 | Cross-site scripting (XSS) vulnerability in Nagios Business Process Intelligence (BPI) before 2.3.4 allows remote attackers to inject arbitrary web script or HTML via vectors involving index.php. | ||
| CVE-2016-6209 | Med | 0.40 | 6.1 | 0.02 | Mar 31, 2017 | Cross-site scripting (XSS) vulnerability in Nagios. | ||
| CVE-2018-13458 | Med | 0.39 | 5.5 | 0.05 | Jul 12, 2018 | qh_core in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket. | ||
| CVE-2018-13457 | Med | 0.39 | 5.5 | 0.05 | Jul 12, 2018 | qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket. | ||
| CVE-2018-13441 | Med | 0.39 | 5.5 | 0.01 | Jul 12, 2018 | qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket. | ||
| CVE-2018-10554 | Med | 0.35 | 5.4 | 0.03 | Apr 30, 2018 | An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages… | ||
| CVE-2026-6342 | Med | 0.28 | 4.3 | 0.00 | May 18, 2026 | Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost… | ||
| CVE-2021-25296 | 0.22 | — | 0.72 | KEV | Feb 15, 2021 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which… | ||
| CVE-2021-25297 | 0.22 | — | 0.43 | KEV | Feb 15, 2021 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead… | ||
| CVE-2019-15949 | 0.22 | — | 0.78 | KEV | Sep 5, 2019 | Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is… | ||
| CVE-2021-25298 | 0.21 | — | 0.75 | KEV | Feb 15, 2021 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can… | ||
| CVE-2021-37343 | 0.10 | — | 0.24 | Aug 13, 2021 | A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios. | |||
| CVE-2020-35578 | 0.10 | — | 0.82 | Jan 13, 2021 | An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands. | |||
| CVE-2020-5791 | 0.10 | — | 0.79 | Oct 20, 2020 | Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user. | |||
| CVE-2018-15708 | 0.10 | — | 0.89 | Nov 14, 2018 | Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request. | |||
| CVE-2009-2288 | 0.10 | — | 0.83 | Jul 1, 2009 | statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters. | |||
| CVE-2020-5792 | 0.09 | — | 0.61 | Oct 20, 2020 | Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user. | |||
| CVE-2018-15710 | 0.09 | — | 0.44 | Nov 14, 2018 | Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php. | |||
| CVE-2013-7108 | 0.08 | — | 0.60 | Jan 15, 2014 | Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in… | |||
| CVE-2013-1362 | 0.08 | — | 0.66 | Jul 9, 2013 | Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash. | |||
| CVE-2012-6096 | 0.08 | — | 0.66 | Jan 22, 2013 | Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host… | |||
| CVE-2023-48084 | 0.07 | — | 0.34 | Dec 14, 2023 | Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool. | |||
| CVE-2023-40931 | 0.07 | — | 0.13 | Sep 19, 2023 | A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php | |||
| CVE-2021-38156 | 0.07 | — | 0.89 | Sep 15, 2021 | In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard. | |||
| CVE-2021-25299 | 0.07 | — | 0.97 | Feb 15, 2021 | Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to… | |||
| CVE-2021-40344 | 0.06 | — | 0.66 | Oct 26, 2021 | An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote… | |||
| CVE-2021-40345 | 0.06 | — | 0.23 | Oct 26, 2021 | An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands. |
- risk 0.71cvss 9.8epss 0.53
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
- risk 0.69cvss 9.8epss 0.28
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.
- risk 0.69cvss 9.8epss 0.23
MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for…
- risk 0.65cvss 8.8epss 0.64
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.
- risk 0.64cvss 9.8epss 0.01
Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input filtering in the nmap_binary parameter to execute a reverse shell by sending a…
- risk 0.64cvss —epss 0.03
Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized parameters such as `host`, resulting in remote code execution.
- risk 0.64cvss 8.8epss 0.47
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
- risk 0.64cvss 9.8epss 0.02
The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
- risk 0.64cvss 9.8epss 0.05
The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796.
- risk 0.57cvss 9.8epss 0.05
Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008.
- risk 0.54cvss 7.8epss 0.05
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
- risk 0.51cvss 7.8epss 0.00
Nagios Core through 4.3.4 initially executes /usr/sbin/nagios as root but supports configuration options in which this file is owned by a non-root account (and similarly can have nagios.cfg owned by a non-root account), which allows local users to gain privileges by leveraging…
- risk 0.51cvss 7.8epss 0.01
Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641.
- risk 0.50cvss 7.2epss 0.43
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.
- risk 0.50cvss 7.2epss 0.43
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.
- risk 0.50cvss 7.2epss 0.43
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
- risk 0.50cvss 7.2epss 0.43
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.
- risk 0.48cvss 8.4epss 0.00
check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has been categorized both as fixed in e8810de, and as intended behavior.
- risk 0.45cvss 6.5epss 0.39
An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to read local files, as demonstrated by URIs beginning with index.php?xiwindow=./ and config/?xiwindow=../ substrings.
- risk 0.41cvss 6.3epss 0.01
Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill…
- risk 0.40cvss 6.1epss 0.00
Race Condition in the Directory Validation Logic in the TeamViewer Full Client and Host prior version 15.69 on Windows allows a local non-admin user to create arbitrary files with SYSTEM privileges, potentially leading to a denial-of-service condition, via symbolic link…
- risk 0.40cvss 6.7epss 0.01
A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and…
- risk 0.40cvss 6.1epss 0.02
Nagios Fusion before 4.1.4 has XSS, aka TPS#13332-13335.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in Nagios Business Process Intelligence (BPI) before 2.3.4 allows remote attackers to inject arbitrary web script or HTML via vectors involving index.php.
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in Nagios.
- risk 0.39cvss 5.5epss 0.05
qh_core in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
- risk 0.39cvss 5.5epss 0.05
qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
- risk 0.39cvss 5.5epss 0.01
qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
- risk 0.35cvss 5.4epss 0.03
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages…
- risk 0.28cvss 4.3epss 0.00
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost…
- risk 0.22cvss —epss 0.72
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which…
- risk 0.22cvss —epss 0.43
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead…
- risk 0.22cvss —epss 0.78
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is…
- risk 0.21cvss —epss 0.75
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can…
- CVE-2021-37343Aug 13, 2021risk 0.10cvss —epss 0.24
A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.
- CVE-2020-35578Jan 13, 2021risk 0.10cvss —epss 0.82
An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.
- CVE-2020-5791Oct 20, 2020risk 0.10cvss —epss 0.79
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
- CVE-2018-15708Nov 14, 2018risk 0.10cvss —epss 0.89
Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.
- CVE-2009-2288Jul 1, 2009risk 0.10cvss —epss 0.83
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters.
- CVE-2020-5792Oct 20, 2020risk 0.09cvss —epss 0.61
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
- CVE-2018-15710Nov 14, 2018risk 0.09cvss —epss 0.44
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.
- CVE-2013-7108Jan 15, 2014risk 0.08cvss —epss 0.60
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in…
- CVE-2013-1362Jul 9, 2013risk 0.08cvss —epss 0.66
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
- CVE-2012-6096Jan 22, 2013risk 0.08cvss —epss 0.66
Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host…
- CVE-2023-48084Dec 14, 2023risk 0.07cvss —epss 0.34
Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.
- CVE-2023-40931Sep 19, 2023risk 0.07cvss —epss 0.13
A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php
- CVE-2021-38156Sep 15, 2021risk 0.07cvss —epss 0.89
In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.
- CVE-2021-25299Feb 15, 2021risk 0.07cvss —epss 0.97
Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to…
- CVE-2021-40344Oct 26, 2021risk 0.06cvss —epss 0.66
An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote…
- CVE-2021-40345Oct 26, 2021risk 0.06cvss —epss 0.23
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.
Page 1 of 6