Vendor CVEs
Nagios
All CVEs
293 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-26024 | 0.00 | — | 0.19 | Feb 3, 2021 | The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account. | |||
| CVE-2020-27991 | 0.00 | — | 0.22 | Nov 16, 2020 | Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field). | |||
| CVE-2020-27990 | 0.00 | — | 0.22 | Nov 16, 2020 | Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent). | |||
| CVE-2020-27989 | 0.00 | — | 0.22 | Nov 16, 2020 | Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard). | |||
| CVE-2020-5796 | 0.00 | — | 0.02 | Nov 13, 2020 | Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticated user to weaken the permissions of files, resulting in low-privileged users being able to write to and execute arbitrary PHP code with root privileges. | |||
| CVE-2020-5790 | 0.00 | — | 0.02 | Oct 20, 2020 | Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | |||
| CVE-2020-13977 | 0.00 | — | 0.03 | Jun 9, 2020 | Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this… | |||
| CVE-2020-10820 | 0.00 | — | 0.30 | Mar 22, 2020 | Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter. | |||
| CVE-2020-6582 | 0.00 | — | 0.04 | Mar 16, 2020 | Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call. | |||
| CVE-2020-6581 | 0.00 | — | 0.02 | Mar 16, 2020 | Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command injection. | |||
| CVE-2020-6584 | 0.00 | — | 0.04 | Mar 16, 2020 | Nagios Log Server 2.1.3 has Incorrect Access Control. | |||
| CVE-2020-6585 | 0.00 | — | 0.01 | Mar 16, 2020 | Nagios Log Server 2.1.3 has CSRF. | |||
| CVE-2019-3698 | 0.00 | — | 0.01 | Feb 28, 2020 | UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This… | |||
| CVE-2019-15898 | 0.00 | — | 0.02 | Sep 3, 2019 | Nagios Log Server before 2.0.8 allows Reflected XSS via the username on the Login page. | |||
| CVE-2018-17147 | 0.00 | — | 0.03 | Jul 10, 2019 | Nagios XI before 5.5.4 has XSS in the auto login admin management page. | |||
| CVE-2018-17146 | 0.00 | — | 0.04 | Jun 19, 2019 | A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page. | |||
| CVE-2018-17148 | 0.00 | — | 0.04 | Jun 19, 2019 | An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials. | |||
| CVE-2019-9166 | 0.00 | — | 0.01 | Mar 28, 2019 | Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php. | |||
| CVE-2019-9203 | 0.00 | — | 0.20 | Mar 28, 2019 | Authorization bypass in Nagios IM (component of Nagios XI) before 2.2.7 allows closing incidents in IM via the API. | |||
| CVE-2019-9204 | 0.00 | — | 0.20 | Mar 28, 2019 | SQL injection vulnerability in Nagios IM (component of Nagios XI) before 2.2.7 allows attackers to execute arbitrary SQL commands. | |||
| CVE-2018-18245 | 0.00 | — | 0.03 | Dec 17, 2018 | Nagios Core 4.4.2 has XSS via the alert summary reports of plugin results, as demonstrated by a SCRIPT element delivered by a modified check_load plugin to NRPE. | |||
| CVE-2018-20171 | 0.00 | — | 0.02 | Dec 17, 2018 | An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability. | |||
| CVE-2018-20172 | 0.00 | — | 0.02 | Dec 17, 2018 | An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability. | |||
| CVE-2018-15713 | 0.00 | — | 0.07 | Nov 14, 2018 | Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in admin/users.php. | |||
| CVE-2014-4702 | 0.00 | — | 0.00 | Dec 5, 2014 | The check_icmp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4701. | |||
| CVE-2014-4701 | 0.00 | — | 0.01 | Dec 5, 2014 | The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4702. | |||
| CVE-2014-8994 | 0.00 | — | 0.00 | Nov 28, 2014 | The check_diskio plugin 3.2.6 and earlier for Nagios and Icinga allows local users to write to arbitrary files via a symlink attack on a temporary file with a predictable name (tmp/check_diskio_status-*-*). | |||
| CVE-2013-4215 | 0.00 | — | 0.00 | May 5, 2014 | The IPXPING_COMMAND in contrib/check_ipxping.c in Nagios Plugins 1.4.16 allows local users to gain privileges via a symlink attack on /tmp/ipxping/ipxping. | |||
| CVE-2014-1878 | 0.00 | — | 0.03 | Feb 28, 2014 | Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to… | |||
| CVE-2013-2214 | 0.00 | — | 0.04 | Feb 10, 2014 | status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does not properly restrict access to certain users that are a contact for a service, which allows remote authenticated users to obtain sensitive information about hostnames via the servicegroup (1) overview, (2)… | |||
| CVE-2013-7205 | 0.00 | — | 0.04 | Jan 15, 2014 | Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in… | |||
| CVE-2013-4214 | 0.00 | — | 0.00 | Nov 23, 2013 | rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache. | |||
| CVE-2011-1523 | 0.00 | — | 0.03 | May 3, 2011 | Cross-site scripting (XSS) vulnerability in statusmap.c in statusmap.cgi in Nagios 3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the layer parameter. | |||
| CVE-2008-6373 | 0.00 | — | 0.05 | Mar 2, 2009 | Unspecified vulnerability in Nagios before 3.0.6 has unspecified impact and remote attack vectors related to CGI programs, "adaptive external commands," and "writing newlines and submitting service comments." | |||
| CVE-2008-5028 | 0.00 | — | 0.02 | Nov 10, 2008 | Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send commands to the Nagios process, and trigger execution of arbitrary programs by this process, via unspecified HTTP requests. | |||
| CVE-2008-4796 | 0.00 | — | 0.09 | Oct 30, 2008 | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell… | |||
| CVE-2007-5803 | 0.00 | — | 0.02 | May 13, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in Nagios before 2.12 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-5624 and CVE-2008-1360. | |||
| CVE-2008-1360 | 0.00 | — | 0.02 | Mar 17, 2008 | Cross-site scripting (XSS) vulnerability in Nagios before 2.11 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts, a different issue than CVE-2007-5624. | |||
| CVE-2007-5624 | 0.00 | — | 0.02 | Oct 23, 2007 | Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts. | |||
| CVE-2007-5623 | 0.00 | — | 0.03 | Oct 23, 2007 | Buffer overflow in the check_snmp function in Nagios Plugins (nagios-plugins) 1.4.10 allows remote attackers to cause a denial of service (crash) via crafted snmpget replies. | |||
| CVE-2006-2489 | 0.00 | — | 0.05 | May 19, 2006 | Integer overflow in CGI scripts in Nagios 1.x before 1.4.1 and 2.x before 2.3.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a content length (Content-Length) HTTP header. NOTE: this is a different vulnerability than… | |||
| CVE-2006-2162 | 0.00 | — | 0.05 | May 3, 2006 | Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header. | |||
| CVE-2002-1959 | 0.00 | — | 0.04 | Dec 31, 2002 | Nagios 1.0b1 through 1.0b3 allows remote attackers to execute arbitrary commands via shell metacharacters in plugin output. |
- CVE-2021-26024Feb 3, 2021risk 0.00cvss —epss 0.19
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account.
- CVE-2020-27991Nov 16, 2020risk 0.00cvss —epss 0.22
Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field).
- CVE-2020-27990Nov 16, 2020risk 0.00cvss —epss 0.22
Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent).
- CVE-2020-27989Nov 16, 2020risk 0.00cvss —epss 0.22
Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard).
- CVE-2020-5796Nov 13, 2020risk 0.00cvss —epss 0.02
Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticated user to weaken the permissions of files, resulting in low-privileged users being able to write to and execute arbitrary PHP code with root privileges.
- CVE-2020-5790Oct 20, 2020risk 0.00cvss —epss 0.02
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
- CVE-2020-13977Jun 9, 2020risk 0.00cvss —epss 0.03
Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this…
- CVE-2020-10820Mar 22, 2020risk 0.00cvss —epss 0.30
Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter.
- CVE-2020-6582Mar 16, 2020risk 0.00cvss —epss 0.04
Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call.
- CVE-2020-6581Mar 16, 2020risk 0.00cvss —epss 0.02
Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command injection.
- CVE-2020-6584Mar 16, 2020risk 0.00cvss —epss 0.04
Nagios Log Server 2.1.3 has Incorrect Access Control.
- CVE-2020-6585Mar 16, 2020risk 0.00cvss —epss 0.01
Nagios Log Server 2.1.3 has CSRF.
- CVE-2019-3698Feb 28, 2020risk 0.00cvss —epss 0.01
UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This…
- CVE-2019-15898Sep 3, 2019risk 0.00cvss —epss 0.02
Nagios Log Server before 2.0.8 allows Reflected XSS via the username on the Login page.
- CVE-2018-17147Jul 10, 2019risk 0.00cvss —epss 0.03
Nagios XI before 5.5.4 has XSS in the auto login admin management page.
- CVE-2018-17146Jun 19, 2019risk 0.00cvss —epss 0.04
A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page.
- CVE-2018-17148Jun 19, 2019risk 0.00cvss —epss 0.04
An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials.
- CVE-2019-9166Mar 28, 2019risk 0.00cvss —epss 0.01
Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php.
- CVE-2019-9203Mar 28, 2019risk 0.00cvss —epss 0.20
Authorization bypass in Nagios IM (component of Nagios XI) before 2.2.7 allows closing incidents in IM via the API.
- CVE-2019-9204Mar 28, 2019risk 0.00cvss —epss 0.20
SQL injection vulnerability in Nagios IM (component of Nagios XI) before 2.2.7 allows attackers to execute arbitrary SQL commands.
- CVE-2018-18245Dec 17, 2018risk 0.00cvss —epss 0.03
Nagios Core 4.4.2 has XSS via the alert summary reports of plugin results, as demonstrated by a SCRIPT element delivered by a modified check_load plugin to NRPE.
- CVE-2018-20171Dec 17, 2018risk 0.00cvss —epss 0.02
An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability.
- CVE-2018-20172Dec 17, 2018risk 0.00cvss —epss 0.02
An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability.
- CVE-2018-15713Nov 14, 2018risk 0.00cvss —epss 0.07
Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in admin/users.php.
- CVE-2014-4702Dec 5, 2014risk 0.00cvss —epss 0.00
The check_icmp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4701.
- CVE-2014-4701Dec 5, 2014risk 0.00cvss —epss 0.01
The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4702.
- CVE-2014-8994Nov 28, 2014risk 0.00cvss —epss 0.00
The check_diskio plugin 3.2.6 and earlier for Nagios and Icinga allows local users to write to arbitrary files via a symlink attack on a temporary file with a predictable name (tmp/check_diskio_status-*-*).
- CVE-2013-4215May 5, 2014risk 0.00cvss —epss 0.00
The IPXPING_COMMAND in contrib/check_ipxping.c in Nagios Plugins 1.4.16 allows local users to gain privileges via a symlink attack on /tmp/ipxping/ipxping.
- CVE-2014-1878Feb 28, 2014risk 0.00cvss —epss 0.03
Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to…
- CVE-2013-2214Feb 10, 2014risk 0.00cvss —epss 0.04
status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does not properly restrict access to certain users that are a contact for a service, which allows remote authenticated users to obtain sensitive information about hostnames via the servicegroup (1) overview, (2)…
- CVE-2013-7205Jan 15, 2014risk 0.00cvss —epss 0.04
Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in…
- CVE-2013-4214Nov 23, 2013risk 0.00cvss —epss 0.00
rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache.
- CVE-2011-1523May 3, 2011risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in statusmap.c in statusmap.cgi in Nagios 3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the layer parameter.
- CVE-2008-6373Mar 2, 2009risk 0.00cvss —epss 0.05
Unspecified vulnerability in Nagios before 3.0.6 has unspecified impact and remote attack vectors related to CGI programs, "adaptive external commands," and "writing newlines and submitting service comments."
- CVE-2008-5028Nov 10, 2008risk 0.00cvss —epss 0.02
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send commands to the Nagios process, and trigger execution of arbitrary programs by this process, via unspecified HTTP requests.
- CVE-2008-4796Oct 30, 2008risk 0.00cvss —epss 0.09
The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell…
- CVE-2007-5803May 13, 2008risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in Nagios before 2.12 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-5624 and CVE-2008-1360.
- CVE-2008-1360Mar 17, 2008risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Nagios before 2.11 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts, a different issue than CVE-2007-5624.
- CVE-2007-5624Oct 23, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.
- CVE-2007-5623Oct 23, 2007risk 0.00cvss —epss 0.03
Buffer overflow in the check_snmp function in Nagios Plugins (nagios-plugins) 1.4.10 allows remote attackers to cause a denial of service (crash) via crafted snmpget replies.
- CVE-2006-2489May 19, 2006risk 0.00cvss —epss 0.05
Integer overflow in CGI scripts in Nagios 1.x before 1.4.1 and 2.x before 2.3.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a content length (Content-Length) HTTP header. NOTE: this is a different vulnerability than…
- CVE-2006-2162May 3, 2006risk 0.00cvss —epss 0.05
Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header.
- CVE-2002-1959Dec 31, 2002risk 0.00cvss —epss 0.04
Nagios 1.0b1 through 1.0b3 allows remote attackers to execute arbitrary commands via shell metacharacters in plugin output.
Page 6 of 6