VYPR

Vendor CVEs

Nagios

All CVEs

293 total · sorted by risk
  • CVE-2023-48085Dec 14, 2023
    risk 0.05cvss epss 0.76

    Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.

  • CVE-2021-33179Oct 14, 2021
    risk 0.05cvss epss 0.04

    The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload.

  • CVE-2019-9164Mar 28, 2019
    risk 0.05cvss epss 0.46

    Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job.

  • CVE-2011-2179Jun 14, 2011
    risk 0.05cvss epss 0.26

    Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action.

  • CVE-2025-29471Apr 15, 2025
    risk 0.04cvss epss 0.06

    Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field.

  • CVE-2022-38250Sep 7, 2022
    risk 0.04cvss epss 0.02

    Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerability via the mib_name parameter at the Manage MIBs page.

  • CVE-2021-37344Aug 13, 2021
    risk 0.04cvss epss 0.97

    Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralisation of special elements used in an OS Command (OS Command injection).

  • CVE-2021-37346Aug 13, 2021
    risk 0.04cvss epss 0.74

    Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralisation of special elements used in an OS Command (OS Command injection).

  • CVE-2021-35479Jul 27, 2021
    risk 0.04cvss epss 0.13

    Nagios Log Server before 2.1.9 contains Stored XSS in the custom column view for the alert history and audit log function through the affected pp parameter. This affects users who open a crafted link or third-party web page.

  • CVE-2021-35478Jul 27, 2021
    risk 0.04cvss epss 0.77

    Nagios Log Server before 2.1.9 contains Reflected XSS in the dropdown box for the alert history and audit log function. All parameters used for filtering are affected. This affects users who open a crafted link or third-party web page.

  • CVE-2020-28905May 24, 2021
    risk 0.04cvss epss 0.26

    Improper Input Validation in Nagios Fusion 4.1.8 and earlier allows an authenticated attacker to execute remote code via table pagination.

  • CVE-2021-28924Apr 8, 2021
    risk 0.04cvss epss 0.09

    Self Authenticated XSS in Nagios Network Analyzer before 2.4.2 via the nagiosna/groups/queries page.

  • CVE-2021-28925Apr 8, 2021
    risk 0.04cvss epss 0.04

    SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/.

  • CVE-2019-12279May 22, 2019
    risk 0.04cvss epss 0.04

    Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any…

  • CVE-2014-2913May 7, 2014
    risk 0.04cvss epss 0.15

    Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has…

  • CVE-2007-5198Oct 4, 2007
    risk 0.04cvss epss 0.08

    Buffer overflow in the redir function in check_http.c in Nagios Plugins before 1.4.10, when running with the -f (follow) option, allows remote web servers to execute arbitrary code via Location header responses (redirects) with a large number of leading "L" characters.

  • CVE-2024-24401Feb 26, 2024
    risk 0.03cvss epss 0.46

    SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.

  • CVE-2022-38247Sep 7, 2022
    risk 0.03cvss epss 0.02

    Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Settings page under the Admin panel.

  • CVE-2022-38248Sep 7, 2022
    risk 0.03cvss epss 0.02

    Nagios XI before v5.8.7 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at auditlog.php.

  • CVE-2022-38249Sep 7, 2022
    risk 0.03cvss epss 0.02

    Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the MTR component in version 1.0.4.

  • CVE-2022-38251Sep 7, 2022
    risk 0.03cvss epss 0.02

    Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Performance Settings page under the Admin panel.

  • CVE-2022-38254Sep 7, 2022
    risk 0.03cvss epss 0.02

    Nagios XI before v5.8.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the ajax.php script in CCM 3.1.5.

  • CVE-2021-33177Oct 14, 2021
    risk 0.03cvss epss 0.10

    The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries.

  • CVE-2021-37350Aug 13, 2021
    risk 0.03cvss epss 0.79

    Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.

  • CVE-2020-25385Jan 20, 2021
    risk 0.03cvss epss 0.16

    Nagios Log Server 2.1.7 contains a cross-site scripting (XSS) vulnerability in /nagioslogserver/configure/create_snapshot through the snapshot_name parameter, which may impact users who open a maliciously crafted link or third-party web page.

  • CVE-2020-15901Jul 22, 2020
    risk 0.03cvss epss 0.22

    In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys.

  • CVE-2020-15902Jul 22, 2020
    risk 0.03cvss epss 0.35

    Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option.

  • CVE-2019-20197Dec 31, 2019
    risk 0.03cvss epss 0.22

    In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.

  • CVE-2019-9202Mar 28, 2019
    risk 0.03cvss epss 0.24

    Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated users to execute arbitrary code via API key issues.

  • CVE-2014-4703Dec 5, 2014
    risk 0.03cvss epss 0.01

    lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain sensitive information via a symlink attack on the configuration file in the extra-opts flag. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4701.

  • CVE-2013-6875Nov 26, 2013
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php.

  • CVE-2024-24402Feb 26, 2024
    risk 0.02cvss epss 0.03

    An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component.

  • CVE-2021-3277Jun 7, 2021
    risk 0.02cvss epss 0.55

    Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbitrary files due to improper validation of the rename functionality in custom-includes component, which leads to remote code execution by uploading php files.

  • CVE-2021-3273Feb 25, 2021
    risk 0.02cvss epss 0.06

    Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. To exploit this vulnerability, someone must have an admin user account in Nagios XI's web system.

  • CVE-2020-24899Feb 15, 2021
    risk 0.02cvss epss 0.13

    Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query.

  • CVE-2021-3193Jan 22, 2021
    risk 0.02cvss epss 0.10

    Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user.

  • CVE-2020-27988Nov 16, 2020
    risk 0.02cvss epss 0.85

    Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field).

  • CVE-2020-10819Mar 22, 2020
    risk 0.02cvss epss 0.74

    Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter.

  • CVE-2020-10821Mar 22, 2020
    risk 0.02cvss epss 0.74

    Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter.

  • CVE-2018-15712Nov 14, 2018
    risk 0.02cvss epss 0.49

    Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in api_tool.php.

  • CVE-2018-15714Nov 14, 2018
    risk 0.02cvss epss 0.04

    Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters.

  • CVE-2018-15711Nov 14, 2018
    risk 0.02cvss epss 0.36

    Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges.

  • CVE-2023-40933Sep 19, 2023
    risk 0.01cvss epss 0.05

    A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function.

  • CVE-2021-36366Sep 28, 2021
    risk 0.01cvss epss 0.04

    Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.

  • CVE-2021-36364Sep 28, 2021
    risk 0.01cvss epss 0.04

    Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.

  • CVE-2021-37348Aug 13, 2021
    risk 0.01cvss epss 0.03

    Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.

  • CVE-2020-22427Feb 15, 2021
    risk 0.01cvss epss 0.13

    NagiosXI 5.6.11 is affected by a remote code execution (RCE) vulnerability. An authenticated nagiosadmin user can inject additional commands into a request. NOTE: the vendor disputes whether the CVE and its references are actionable because all technical details are omitted, and…

  • CVE-2020-28648Nov 16, 2020
    risk 0.01cvss epss 0.06

    Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.

  • CVE-2020-15903Sep 9, 2020
    risk 0.01cvss epss 0.05

    An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3.

  • CVE-2020-16157Jul 30, 2020
    risk 0.01cvss epss 0.14

    A Stored XSS vulnerability exists in Nagios Log Server before 2.1.7 via the Notification Methods -> Email Users menu.

Page 2 of 6