Nagios: Security Vulnerabilities
Execution with Unnecessary Privileges in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation as nagios via installation of a malicious component containing PHP code.
CVSS Score
9.8
EPSS Score
0.003
Published
2021-05-24
Improper Input Validation in Nagios Fusion 4.1.8 and earlier allows an authenticated attacker to execute remote code via table pagination.
CVSS Score
8.8
EPSS Score
0.442
Published
2021-05-24
Self Authenticated XSS in Nagios Network Analyzer before 2.4.2 via the nagiosna/groups/queries page.
CVSS Score
6.1
EPSS Score
0.662
Published
2021-04-08
SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/.
CVSS Score
9.8
EPSS Score
0.742
Published
2021-04-08
Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. To exploit this vulnerability, someone must have an admin user account in Nagios XI's web system.
CVSS Score
7.2
EPSS Score
0.243
Published
2021-02-25
NagiosXI 5.6.11 is affected by a remote code execution (RCE) vulnerability. An authenticated nagiosadmin user can inject additional commands into a request. NOTE: the vendor disputes whether the CVE and its references are actionable because all technical details are omitted, and the only option is to pay for a subscription service where technical details may be disclosed at an unspecified later time
CVSS Score
7.2
EPSS Score
0.366
Published
2021-02-15
Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query.
CVSS Score
8.8
EPSS Score
0.049
Published
2021-02-15
CVE-2021-25296
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Known exploited
CVSS Score
8.8
EPSS Score
0.935
Published
2021-02-15
CVE-2021-25297
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Known exploited
CVSS Score
8.8
EPSS Score
0.51
Published
2021-02-15
CVE-2021-25298
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Known exploited
CVSS Score
8.8
EPSS Score
0.771
Published
2021-02-15