Nagios: >> Nagios Xi >> 2012r1.0 Security Vulnerabilities
Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI origin. The issue is observable under legacy browser behaviors; modern browsers may mitigate some vectors.
CVSS Score
6.1
EPSS Score
0.006
Published
2025-10-30
Nagios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insecure Logins' option is enabled. Under this configuration, any user can create valid login credentials for other users without proper authorization. This can lead to unauthorized account creation, privilege escalation, or full compromise of the Nagios XI web interface depending on the target account.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-10-30
Nagios XI versions prior to 2024R1.1.2 may (confirmed in 2024R1.1 and 2024R1.1.1) disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts.
CVSS Score
8.8
EPSS Score
0.011
Published
2025-10-30
Nagios XI versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
CVSS Score
5.4
EPSS Score
0.006
Published
2025-10-30
Nagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Terminal. A remote, low-privileged attacker could access or interact with the terminal interface without sufficient authorization, potentially allowing unauthorized command execution or disclosure of sensitive information.
CVSS Score
8.8
EPSS Score
0.002
Published
2025-10-30
Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
CVSS Score
5.4
EPSS Score
0.006
Published
2025-10-30
Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.
CVSS Score
8.8
EPSS Score
0.012
Published
2025-09-25
Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.
CVSS Score
8.8
EPSS Score
0.011
Published
2025-08-28
Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate.
CVSS Score
9.1
EPSS Score
0.011
Published
2024-10-14
A stored cross-site scripting (XSS) vulnerability in the NOC component of Nagios XI version up to and including 2024R1 allows low-privileged users to execute malicious HTML or JavaScript code via the audio file upload functionality from the Operation Center section. This allows any authenticated user to execute arbitrary JavaScript code on behalf of other users, including the administrators.
CVSS Score
5.4
EPSS Score
0.018
Published
2024-02-02