CVE-2021-25298 – Nagios XI OS Command Injection
https://notcve.org/view.php?id=CVE-2021-25298
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. Nagios XI versión xi-5.7.5, esta afectada por una inyección de comandos del Sistema Operativo. La vulnerabilidad se presenta en el archivo /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php debido a un saneamiento inapropiado de la entrada controlada por el usuario autenticado mediante una única petición HTTP, lo que puede conducir a una inyección de comandos del Sistema Operativo en el servidor de Nagios XI Nagios XI version 5.7.5 suffers from a cross site scripting and multiple remote code execution vulnerabilities. Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. • http://nagios.com http://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.html http://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.html https://assets.nagios.com/downloads/nagiosxi/versions.php https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md https://www.fastly.com/blog/anatomy-of-a-command-injection-cve-2021-25296-7-8-with-metasploit-module-and •
CVE-2021-26024
https://notcve.org/view.php?id=CVE-2021-26024
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account. El plugin Favorites versiones anteriores a 1.0.2 para Nagios XI versión 5.8.0, es vulnerable a una Referencia Directa a Objetos No Segura: es posible crear favoritos para cualquier otra cuenta de usuario • https://www.nagios.com/products/security • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2021-26023
https://notcve.org/view.php?id=CVE-2021-26023
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to XSS. El plugin Favorites versiones anteriores a 1.0.2 para Nagios XI versión 5.8.0, es vulnerable a un ataque de tipo XSS • https://www.nagios.com/products/security • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-3193
https://notcve.org/view.php?id=CVE-2021-3193
Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user. Un acceso inapropiado y una comprobación de comandos en el asistente de configuración de Docker de Nagios XI versiones anteriores a 5.8.0, permiten a un atacante autenticado ejecutar código remoto como el usuario de Apache • https://www.nagios.com/products/security •
CVE-2020-35578 – Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)
https://notcve.org/view.php?id=CVE-2020-35578
An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands. Se detectó un problema en la página Manage Plugins en Nagios XI versiones anteriores a 5.8.0. Debido a que la funcionalidad line-ending conversion es manejada inapropiadamente durante la carga de un plugin, un usuario administrador autenticado y remoto puede ejecutar comandos del sistema operativo. • https://www.exploit-db.com/exploits/49422 http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.html http://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.html https://www.nagios.com/downloads/nagios-xi/change-log https://www.nagios.com/products/security - • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •