SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php.
Max CVSS
7.5
EPSS Score
88.08%
Published
2013-11-26
Updated
2013-11-27

CVE-2018-8733

Public exploit
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.
Max CVSS
9.8
EPSS Score
38.75%
Published
2018-04-18
Updated
2019-10-03

CVE-2018-8734

Public exploit
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
Max CVSS
9.8
EPSS Score
35.06%
Published
2018-04-18
Updated
2019-03-05

CVE-2018-8735

Public exploit
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.
Max CVSS
9.0
EPSS Score
85.83%
Published
2018-04-18
Updated
2019-03-04

CVE-2018-8736

Public exploit
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
Max CVSS
9.0
EPSS Score
51.03%
Published
2018-04-18
Updated
2019-10-03
An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to read local files, as demonstrated by URIs beginning with index.php?xiwindow=./ and config/?xiwindow=../ substrings.
Max CVSS
6.5
EPSS Score
0.12%
Published
2018-04-30
Updated
2018-06-07
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter.
Max CVSS
5.4
EPSS Score
0.11%
Published
2018-04-30
Updated
2020-08-24
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.
Max CVSS
7.2
EPSS Score
0.40%
Published
2018-05-16
Updated
2018-06-15
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
Max CVSS
7.2
EPSS Score
0.40%
Published
2018-05-16
Updated
2018-06-15
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.
Max CVSS
7.2
EPSS Score
0.40%
Published
2018-05-16
Updated
2018-06-15
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.
Max CVSS
7.2
EPSS Score
0.40%
Published
2018-05-16
Updated
2018-06-15

CVE-2018-15708

Public exploit
Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.
Max CVSS
9.8
EPSS Score
61.03%
Published
2018-11-14
Updated
2019-10-03
Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request.
Max CVSS
8.8
EPSS Score
4.15%
Published
2018-11-14
Updated
2019-10-03

CVE-2018-15710

Public exploit
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.
Max CVSS
7.8
EPSS Score
5.83%
Published
2018-11-14
Updated
2019-10-03
Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges.
Max CVSS
8.8
EPSS Score
27.52%
Published
2018-11-14
Updated
2019-10-03
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in api_tool.php.
Max CVSS
6.1
EPSS Score
28.23%
Published
2018-11-14
Updated
2018-12-06
Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in admin/users.php.
Max CVSS
5.4
EPSS Score
0.38%
Published
2018-11-14
Updated
2018-12-06
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters.
Max CVSS
6.1
EPSS Score
28.23%
Published
2018-11-14
Updated
2018-12-06
A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page.
Max CVSS
5.4
EPSS Score
0.16%
Published
2019-06-19
Updated
2019-06-23
Nagios XI before 5.5.4 has XSS in the auto login admin management page.
Max CVSS
4.8
EPSS Score
0.15%
Published
2019-07-10
Updated
2019-07-11
An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials.
Max CVSS
9.8
EPSS Score
0.55%
Published
2019-06-19
Updated
2019-06-21
An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability.
Max CVSS
6.1
EPSS Score
0.20%
Published
2018-12-17
Updated
2019-01-07
An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability.
Max CVSS
6.1
EPSS Score
0.20%
Published
2018-12-17
Updated
2019-01-07
Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job.
Max CVSS
8.8
EPSS Score
20.55%
Published
2019-03-28
Updated
2022-10-06
SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.
Max CVSS
9.8
EPSS Score
3.27%
Published
2019-03-28
Updated
2022-10-06
98 vulnerabilities found
1 2 3 4
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!