Nagios: >> Nagios Xi Security Vulnerabilities
CVE-2021-25296
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Known exploited
CVSS Score
8.8
EPSS Score
0.936
Published
2021-02-15
CVE-2021-25297
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Known exploited
CVSS Score
8.8
EPSS Score
0.799
Published
2021-02-15
CVE-2021-25298
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Known exploited
CVSS Score
8.8
EPSS Score
0.755
Published
2021-02-15
Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session cookies or it can be chained with the previous bugs to get one-click remote command execution (RCE) on the Nagios XI server.
CVSS Score
6.1
EPSS Score
0.852
Published
2021-02-15
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-02-03
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to XSS.
CVSS Score
6.1
EPSS Score
0.38
Published
2021-02-03
Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user.
CVSS Score
9.8
EPSS Score
0.254
Published
2021-01-26
An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.
CVSS Score
7.2
EPSS Score
0.852
Published
2021-01-13
Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent).
CVSS Score
5.4
EPSS Score
0.06
Published
2020-11-16
Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field).
CVSS Score
5.4
EPSS Score
0.06
Published
2020-11-16