Vulnerability Details CVE-2021-40344
An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.672
EPSS Ranking 98.4%
CVSS Severity
CVSS v3 Score 7.2
CVSS v2 Score 6.5
References
- https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT
- https://synacktiv.com
- https://www.synacktiv.com/sites/default/files/2021-10/Nagios_XI_multiple_vulnerabilities_0.pdf
- https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT
- https://synacktiv.com
- https://www.synacktiv.com/sites/default/files/2021-10/Nagios_XI_multiple_vulnerabilities_0.pdf