CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Nagios » Nagios Xi » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-38156 79 XSS 2021-09-15 2021-09-27
3.5
None Remote Medium ??? None Partial None
In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.
2 CVE-2021-37352 601 2021-08-13 2021-08-23
5.8
None Remote Medium Not required Partial Partial None
An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link.
3 CVE-2021-37351 276 2021-08-13 2021-08-23
5.0
None Remote Low Not required Partial None None
Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.
4 CVE-2021-37350 89 Sql 2021-08-13 2021-08-23
7.5
None Remote Low Not required Partial Partial Partial
Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.
5 CVE-2021-37349 269 2021-08-13 2021-08-23
4.6
None Local Low Not required Partial Partial Partial
Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitise input read from the database.
6 CVE-2021-37348 552 File Inclusion 2021-08-13 2021-08-23
5.0
None Remote Low Not required Partial None None
Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.
7 CVE-2021-37347 269 2021-08-13 2021-08-23
4.6
None Local Low Not required Partial Partial Partial
Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.
8 CVE-2021-37345 269 2021-08-13 2021-08-23
4.6
None Local Low Not required Partial Partial Partial
Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.
9 CVE-2021-37343 22 Dir. Trav. 2021-08-13 2022-02-22
6.5
None Remote Low ??? Partial Partial Partial
A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.
10 CVE-2021-37223 918 2021-10-05 2021-10-12
4.0
None Remote Low ??? Partial None None
Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resources or disclose local system files.
11 CVE-2021-36366 2021-09-28 2021-10-04
7.5
None Remote Low Not required Partial Partial Partial
Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.
12 CVE-2021-36365 276 2021-09-28 2021-10-01
7.5
None Remote Low Not required Partial Partial Partial
Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.
13 CVE-2021-36364 2021-09-28 2021-10-04
7.5
None Remote Low Not required Partial Partial Partial
Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.
14 CVE-2021-36363 276 2021-09-28 2021-10-01
7.5
None Remote Low Not required Partial Partial Partial
Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.
15 CVE-2021-33179 79 XSS 2021-10-14 2021-10-20
4.3
None Remote Medium Not required None Partial None
The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload.
16 CVE-2021-33177 89 Sql 2021-10-14 2021-10-20
6.5
None Remote Low ??? Partial Partial Partial
The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries.
17 CVE-2021-3277 434 Exec Code 2021-06-07 2021-06-15
6.5
None Remote Low ??? Partial Partial Partial
Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbitrary files due to improper validation of the rename functionality in custom-includes component, which leads to remote code execution by uploading php files.
18 CVE-2021-3273 94 2021-02-25 2021-03-02
9.0
None Remote Low ??? Complete Complete Complete
Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. To exploit this vulnerability, someone must have an admin user account in Nagios XI's web system.
19 CVE-2021-3193 Exec Code 2021-01-26 2021-02-03
7.5
None Remote Low Not required Partial Partial Partial
Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user.
20 CVE-2020-35578 78 Exec Code 2021-01-13 2021-04-26
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.
21 CVE-2020-28910 276 2021-05-24 2021-05-28
10.0
None Remote Low Not required Complete Complete Complete
Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh.
22 CVE-2020-28906 276 2021-05-24 2021-05-28
9.0
None Remote Low ??? Complete Complete Complete
Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root. Low-privileged users are able to modify files that are included (aka sourced) by scripts executed by root.
23 CVE-2020-28900 345 Exec Code 2021-05-24 2021-05-28
10.0
None Remote Low Not required Complete Complete Complete
Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh.
24 CVE-2020-28648 20 Exec Code 2020-11-16 2021-05-26
9.0
None Remote Low ??? Complete Complete Complete
Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.
25 CVE-2020-27991 79 XSS 2020-11-16 2020-11-17
3.5
None Remote Medium ??? None Partial None
Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field).
26 CVE-2020-27990 79 XSS 2020-11-16 2020-11-17
3.5
None Remote Medium ??? None Partial None
Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent).
27 CVE-2020-27989 79 XSS 2020-11-16 2020-11-17
3.5
None Remote Medium ??? None Partial None
Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard).
28 CVE-2020-27988 79 XSS 2020-11-16 2020-11-17
3.5
None Remote Medium ??? None Partial None
Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field).
29 CVE-2020-15903 269 2020-09-09 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3.
30 CVE-2020-15902 79 XSS 2020-07-22 2020-11-13
4.3
None Remote Medium Not required None Partial None
Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option.
31 CVE-2020-15901 Exec Code 2020-07-22 2020-11-13
7.5
None Remote Low Not required Partial Partial Partial
In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys.
32 CVE-2020-5791 78 Exec Code 2020-10-20 2022-06-15
9.0
None Remote Low ??? Complete Complete Complete
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
33 CVE-2019-15949 78 Exec Code 2019-09-05 2021-04-15
9.0
None Remote Low ??? Complete Complete Complete
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.
34 CVE-2019-9167 79 XSS 2019-03-28 2019-04-15
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.
35 CVE-2019-9166 732 2019-03-28 2020-08-24
7.2
None Local Low Not required Complete Complete Complete
Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php.
36 CVE-2019-9165 89 Exec Code Sql 2019-03-28 2019-04-15
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.
37 CVE-2019-9164 79 Exec Code XSS 2019-03-28 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job.
38 CVE-2018-20172 79 XSS 2018-12-17 2019-01-07
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability.
39 CVE-2018-20171 79 XSS 2018-12-17 2019-01-07
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability.
40 CVE-2018-17148 284 2019-06-19 2019-06-21
5.0
None Remote Low Not required Partial None None
An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials.
41 CVE-2018-17147 79 XSS 2019-07-10 2019-07-11
3.5
None Remote Medium ??? None Partial None
Nagios XI before 5.5.4 has XSS in the auto login admin management page.
42 CVE-2018-17146 79 Exec Code XSS 2019-06-19 2019-06-23
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page.
43 CVE-2018-10738 89 Sql 2018-05-16 2018-06-15
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.
44 CVE-2018-10737 89 Sql 2018-05-16 2018-06-15
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.
45 CVE-2018-10736 89 Sql 2018-05-16 2018-06-15
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
46 CVE-2018-10735 89 Sql 2018-05-16 2018-06-15
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.
47 CVE-2018-8736 2018-04-18 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
48 CVE-2018-8735 78 Exec Code 2018-04-18 2019-03-04
9.0
None Remote Low ??? Complete Complete Complete
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.
49 CVE-2018-8734 89 Exec Code Sql 2018-04-18 2019-03-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
50 CVE-2018-8733 89 Sql Bypass 2018-04-18 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.
Total number of vulnerabilities : 51   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.