Nagios: >> Nagios Xi >> 5.6.4 Security Vulnerabilities
Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh.
CVSS Score
9.8
EPSS Score
0.002
Published
2021-05-24
Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-05-24
Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. To exploit this vulnerability, someone must have an admin user account in Nagios XI's web system.
CVSS Score
7.2
EPSS Score
0.245
Published
2021-02-25
CVE-2021-25296
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Known exploited
CVSS Score
8.8
EPSS Score
0.935
Published
2021-02-15
CVE-2021-25297
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Known exploited
CVSS Score
8.8
EPSS Score
0.51
Published
2021-02-15
CVE-2021-25298
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Known exploited
CVSS Score
8.8
EPSS Score
0.771
Published
2021-02-15
Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user.
CVSS Score
9.8
EPSS Score
0.226
Published
2021-01-26
An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.
CVSS Score
7.2
EPSS Score
0.904
Published
2021-01-13
Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent).
CVSS Score
5.4
EPSS Score
0.177
Published
2020-11-16
Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field).
CVSS Score
5.4
EPSS Score
0.177
Published
2020-11-16