CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2020-28906 – Nagios XI / Fusion Privilege Escalation / Cross Site Scripting / Code Execution
https://notcve.org/view.php?id=CVE-2020-28906
24 May 2021 — Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root. Low-privileged users are able to modify files that are included (aka sourced) by scripts executed by root. Los Permisos de Archivo Incorrectos en Nagios XI versiones 5.7.5 y anteriores y Nagios Fusion versiones 4.1.8 y anteriores, permiten una Escalada de Privilegios a root. Los usuarios pocos privilegiados pueden modificar archivos que son incluidos (también se conoce ... • https://packetstorm.news/files/id/162783 • CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 2CVE-2020-28900 – Nagios XI / Fusion Privilege Escalation / Cross Site Scripting / Code Execution
https://notcve.org/view.php?id=CVE-2020-28900
24 May 2021 — Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh. Una Comprobación Insuficiente de la Autenticidad de los Datos en Nagios Fusion versiones 4.1.8 y anteriores y Nagios XI versiones 5.7.5 y anteriores, permite la ampliación de privilegios o una ejecución de código como root por medio de vectores relacionados co... • https://packetstorm.news/files/id/162783 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.1EPSS: 76%CPEs: 1EXPL: 3CVE-2021-25299 – Nagios XI 5.7.5 Remote Code Execution
https://notcve.org/view.php?id=CVE-2021-25299
15 Feb 2021 — Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session cookies or it can be chained with the previous bugs to get one-click remote command execution (RCE) on the Nagios XI server. Nagios XI versión xi-5.7.5, esta afectada por una vulnerabilidad de tipo cross-site scr... • https://packetstorm.news/files/id/161561 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 93%CPEs: 1EXPL: 6CVE-2021-25296 – Nagios XI OS Command Injection
https://notcve.org/view.php?id=CVE-2021-25296
15 Feb 2021 — Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. Nagios XI versión xi-5.7.5, esta afectada por una inyección de comandos del Sistema Operativo. La vulnerabilidad se presenta en el archivo /usr/local/nagiosxi/html/includ... • https://packetstorm.news/files/id/170924 •
CVSS: 9.0EPSS: 47%CPEs: 1EXPL: 7CVE-2021-25297 – Nagios XI OS Command Injection
https://notcve.org/view.php?id=CVE-2021-25297
15 Feb 2021 — Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. Nagios XI versión xi-5.7.5, esta afectada por una inyección de comandos del Sistema Operativo. La vulnerabilidad se presenta en el archivo /usr/local/nagiosxi/html/includes/confi... • https://packetstorm.news/files/id/170924 •
CVSS: 9.0EPSS: 75%CPEs: 1EXPL: 6CVE-2021-25298 – Nagios XI OS Command Injection
https://notcve.org/view.php?id=CVE-2021-25298
15 Feb 2021 — Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. Nagios XI versión xi-5.7.5, esta afectada por una inyección de comandos del Sistema Operativo. La vulnerabilidad se presenta en el archivo /usr/local/nagiosxi/html/includes/c... • https://packetstorm.news/files/id/170924 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 90%CPEs: 1EXPL: 5CVE-2020-35578 – Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)
https://notcve.org/view.php?id=CVE-2020-35578
13 Jan 2021 — An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands. Se detectó un problema en la página Manage Plugins en Nagios XI versiones anteriores a 5.8.0. Debido a que la funcionalidad line-ending conversion es manejada inapropiadamente durante la carga de un plugin, un usuario administrador autenticado y remoto puede ejecutar comand... • https://packetstorm.news/files/id/162207 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 22%CPEs: 17EXPL: 2CVE-2013-6875 – Nagios XI - 'tfPassword' SQL Injection
https://notcve.org/view.php?id=CVE-2013-6875
26 Nov 2013 — SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php. Vulnerabilidad de inyección de SQL en functions/prepend_adm.php de Nagios Core Config Manager de Nagios XI anterior a la versión 2012R2.4 permite a atacantes remotos ejecutar comandos SQL a través del parámetro tfPassword hacia nagiosql/index.php. • https://www.exploit-db.com/exploits/38827 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •