CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10554
https://notcve.org/view.php?id=CVE-2018-10554
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter. Se ha descubierto un problema en Nagios XI 5.4.13. Hay Cross-Site Scripting (XSS) explotable mediante Cross-Site Request Forgery (CSRF) en (1) la pantalla Schedule New Report mediante los parámetros hour, minute o ampm, relacionado con components/scheduledreporting; (2) includes/components/xicore/downtime.php, relacionado con la función update_pages; (3) los parámetros opts o background en ajaxhelper.php; (4) el parámetro del array i[] en ajax_handler.php; o (5) el parámetro title en deploynotification.php. • http://code610.blogspot.com/2018/04/few-bugs-in-latest-nagios-xi-5413.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 10%CPEs: 1EXPL: 3CVE-2018-8734 – Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-8734
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter. Vulnerabilidad de inyección SQL en el gestor core config en Nagios XI, en versiones 5.2.x hasta la 5.4.x anteriores a la 5.4.13, permite que un atacante ejecute comandos SQL arbitrarios mediante el parámetro selInfoKey1. • https://www.exploit-db.com/exploits/44969 https://www.exploit-db.com/exploits/44560 https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT https://blog.redactedsec.net/exploits/2018/04/26/nagios.html https://gist.github.com/caleBot/f0a93b5a98574393e0139104eacc2d0f https://www.nagios.com/downloads/nagios-xi/change-log http://blog.redactedsec.net/exploits/2018/04/26/nagios.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 22%CPEs: 1EXPL: 3CVE-2018-8736 – Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-8736
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root. Vulnerabilidad de escalado de privilegios en Nagios XI, en versiones 5.2.x hasta la 5.4.x anteriores a la 5.4.13, permite que un atacante aproveche una vulnerabilidad de RCE para escalar hasta root. • https://www.exploit-db.com/exploits/44969 https://www.exploit-db.com/exploits/44560 https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT https://blog.redactedsec.net/exploits/2018/04/26/nagios.html https://gist.github.com/caleBot/f0a93b5a98574393e0139104eacc2d0f https://www.nagios.com/downloads/nagios-xi/change-log http://blog.redactedsec.net/exploits/2018/04/26/nagios.html •
CVSS: 9.0EPSS: 63%CPEs: 1EXPL: 3CVE-2018-8735 – Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-8735
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection. Vulnerabilidad de ejecución remota de comandos (RCE) en Nagios XI, en versiones 5.2.x hasta la 5.4.x anteriores a la 5.4.13, permite que un atacante ejecute comandos arbitrarios en el sistema objetivo. Esto también se conoce como inyección de comandos del sistema operativo. • https://www.exploit-db.com/exploits/44969 https://www.exploit-db.com/exploits/44560 https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT https://blog.redactedsec.net/exploits/2018/04/26/nagios.html https://gist.github.com/caleBot/f0a93b5a98574393e0139104eacc2d0f https://www.nagios.com/downloads/nagios-xi/change-log http://blog.redactedsec.net/exploits/2018/04/26/nagios.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 32%CPEs: 1EXPL: 3CVE-2018-8733 – Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-8733
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability. Vulnerabilidad de omisión de autenticación en el gestor core config en Nagios XI, en versiones 5.2.x hasta la 5.4.x anteriores a la 5.4.13, permite que un atacante no autenticado realice cambios en la configuración y aproveche una vulnerabilidad de inyección SQL autenticada. • https://www.exploit-db.com/exploits/44969 https://www.exploit-db.com/exploits/44560 https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT https://blog.redactedsec.net/exploits/2018/04/26/nagios.html https://gist.github.com/caleBot/f0a93b5a98574393e0139104eacc2d0f https://www.nagios.com/downloads/nagios-xi/change-log http://blog.redactedsec.net/exploits/2018/04/26/nagios.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •