Shodan
Vulnerabilities
Vulnerable Software
Nagios:  >> Nagios Xi  >> 5.5.6  Security Vulnerabilities
CVE-2019-15949
Known exploited
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.
CVSS Score
8.8
EPSS Score
0.871
Published
2019-09-05
CVE-2019-9166
Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php.
CVSS Score
7.8
EPSS Score
0.0
Published
2019-03-28
CVE-2019-9167
Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.
CVSS Score
6.1
EPSS Score
0.136
Published
2019-03-28
CVE-2019-9165
SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.
CVSS Score
9.8
EPSS Score
0.063
Published
2019-03-28
CVE-2019-9164
Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job.
CVSS Score
8.8
EPSS Score
0.647
Published
2019-03-28
CVE-2018-20171
An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability.
CVSS Score
6.1
EPSS Score
0.038
Published
2018-12-17
CVE-2018-20172
An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability.
CVSS Score
6.1
EPSS Score
0.038
Published
2018-12-17
CVE-2018-15708
Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.
CVSS Score
9.8
EPSS Score
0.918
Published
2018-11-14
CVE-2018-15709
Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request.
CVSS Score
8.8
EPSS Score
0.112
Published
2018-11-14
CVE-2018-15710
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.
CVSS Score
7.8
EPSS Score
0.784
Published
2018-11-14


Products
Pricing
Contact Us

Shodan ® - All rights reserved