Total
99 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-27988 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field). | |||||
| CVE-2020-24899 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query. | |||||
| CVE-2020-23992 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Nagios XI 5.7.1 allows remote attackers to run arbitrary code via returnUrl parameter in a crafted GET request. | |||||
| CVE-2020-22427 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| NagiosXI 5.6.11 is affected by a remote code execution (RCE) vulnerability. An authenticated nagiosadmin user can inject additional commands into a request. NOTE: the vendor disputes whether the CVE and its references are actionable because all technical details are omitted, and the only option is to pay for a subscription service where technical details may be disclosed at an unspecified later time | |||||
| CVE-2020-15903 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3. | |||||
| CVE-2020-15902 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option. | |||||
| CVE-2020-15901 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 7.5 HIGH | 8.8 HIGH |
| In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys. | |||||
| CVE-2020-10821 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter. | |||||
| CVE-2020-10820 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter. | |||||
| CVE-2020-10819 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter. | |||||
| CVE-2019-9167 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter. | |||||
| CVE-2019-9166 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php. | |||||
| CVE-2019-9165 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id. | |||||
| CVE-2019-9164 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job. | |||||
| CVE-2019-20197 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account. | |||||
| CVE-2019-20139 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user. | |||||
| CVE-2019-12279 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that can be done with the variable provided, and while the username value being passed does get used in a SQL query, it is passed through SQL escaping functions when creating the call. The vendor tried re-creating the issue with no luck | |||||
| CVE-2018-8736 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root. | |||||
| CVE-2018-8735 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection. | |||||
| CVE-2018-8734 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter. | |||||