CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 2CVE-2019-9164 – Nagios XI 5.5.10 XSS / Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-9164
Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job. Una inyección de comandos en Nagios XI, en versiones anteriores a la 5.5.11, permite a los usuarios autenticados ejecutar comandos remotos arbitrarios mediante un nuevo trabajo de autodescubrimiento. Various vulnerabilities have been found in Nagios XI version 5.5.10, which allow a remote attacker able to trick an authenticated victim (with "autodiscovery job" creation privileges) to visit a malicious URL to obtain a remote root shell via a reflected cross site scripting, an authenticated remote code Execution and a local privilege escalation. • http://packetstormsecurity.com/files/152496/Nagios-XI-5.5.10-XSS-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2019/Apr/19 https://www.nagios.com/downloads/nagios-xi/change-log https://www.nagios.com/products/security • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20171
https://notcve.org/view.php?id=CVE-2018-20171
An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability. Se ha descubierto un problema en versiones anteriores a la 5.5.8 de Nagios XI. El parámetro url en rss_dashlet/magpierss/scripts/magpie_simple.php no está filtrado, lo que resulta en una vulnerabilidad Cross-Site Scripting (XSS) • https://www.nagios.com/downloads/nagios-xi/change-log https://www.seebug.org/vuldb/ssvid-97713 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20172
https://notcve.org/view.php?id=CVE-2018-20172
An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability. Se ha descubierto un problema en versiones anteriores a la 5.5.8 de Nagios XI. El parámetro rss_url en rss_dashlet/magpierss/scripts/magpie_slashbox.php no está filtrado, lo que resulta en una vulnerabilidad Cross-Site Scripting (XSS). • https://www.nagios.com/downloads/nagios-xi/change-log https://www.seebug.org/vuldb/ssvid-97714 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 46%CPEs: 1EXPL: 4CVE-2018-15708 – Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-15708
Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request. Snoopy 1.0 en Nagios XI 5.5.6 permite que atacantes remotos no autenticados ejecuten comandos arbitrarios mediante una petición HTTP manipulada. Nagios XI version 5.5.6 suffers from remote code execution and privilege escalation vulnerabilities. • https://www.exploit-db.com/exploits/47039 https://www.exploit-db.com/exploits/46221 https://github.com/lkduy2602/Detecting-CVE-2018-15708-Vulnerabilities http://packetstormsecurity.com/files/153433/Nagios-XI-Magpie_debug.php-Root-Remote-Code-Execution.html https://www.tenable.com/security/research/tra-2018-37 https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172 •
CVSS: 7.8EPSS: 5%CPEs: 1EXPL: 3CVE-2018-15710 – Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-15710
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php. Nagios XI 5.5.6 permite que atacantes autenticados locales escalen privilegios a root mediante Autodiscover_new.php. Nagios XI version 5.5.6 suffers from remote code execution and privilege escalation vulnerabilities. • https://www.exploit-db.com/exploits/47039 https://www.exploit-db.com/exploits/46221 http://packetstormsecurity.com/files/153433/Nagios-XI-Magpie_debug.php-Root-Remote-Code-Execution.html https://www.tenable.com/security/research/tra-2018-37 https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •