CVSS: 8.8EPSS: 37%CPEs: 1EXPL: 3CVE-2019-9164 – Nagios XI 5.5.10 XSS / Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-9164
28 Mar 2019 — Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job. Una inyección de comandos en Nagios XI, en versiones anteriores a la 5.5.11, permite a los usuarios autenticados ejecutar comandos remotos arbitrarios mediante un nuevo trabajo de autodescubrimiento. Various vulnerabilities have been found in Nagios XI version 5.5.10, which allow a remote attacker able to trick an authenticated victim (with "autodiscovery job" creation... • https://packetstorm.news/files/id/152496 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 7%CPEs: 1EXPL: 1CVE-2018-20171
https://notcve.org/view.php?id=CVE-2018-20171
17 Dec 2018 — An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability. Se ha descubierto un problema en versiones anteriores a la 5.5.8 de Nagios XI. El parámetro url en rss_dashlet/magpierss/scripts/magpie_simple.php no está filtrado, lo que resulta en una vulnerabilidad Cross-Site Scripting (XSS) • https://www.nagios.com/downloads/nagios-xi/change-log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 7%CPEs: 1EXPL: 1CVE-2018-20172
https://notcve.org/view.php?id=CVE-2018-20172
17 Dec 2018 — An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability. Se ha descubierto un problema en versiones anteriores a la 5.5.8 de Nagios XI. El parámetro rss_url en rss_dashlet/magpierss/scripts/magpie_slashbox.php no está filtrado, lo que resulta en una vulnerabilidad Cross-Site Scripting (XSS). • https://www.nagios.com/downloads/nagios-xi/change-log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 92%CPEs: 1EXPL: 6CVE-2018-15708 – Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-15708
14 Nov 2018 — Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request. Snoopy 1.0 en Nagios XI 5.5.6 permite que atacantes remotos no autenticados ejecuten comandos arbitrarios mediante una petición HTTP manipulada. Nagios XI version 5.5.6 suffers from remote code execution and privilege escalation vulnerabilities. • https://packetstorm.news/files/id/151296 •
CVSS: 8.8EPSS: 11%CPEs: 1EXPL: 1CVE-2018-15709
https://notcve.org/view.php?id=CVE-2018-15709
14 Nov 2018 — Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request. Nagios XI 5.5.6 permite que atacantes remotos autenticados ejecuten comandos arbitrarios mediante una petición HTTP manipulada. • https://www.tenable.com/security/research/tra-2018-37 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 79%CPEs: 1EXPL: 5CVE-2018-15710 – Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-15710
14 Nov 2018 — Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php. Nagios XI 5.5.6 permite que atacantes autenticados locales escalen privilegios a root mediante Autodiscover_new.php. Nagios XI version 5.5.6 suffers from remote code execution and privilege escalation vulnerabilities. • https://packetstorm.news/files/id/151296 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 31%CPEs: 1EXPL: 1CVE-2018-15711
https://notcve.org/view.php?id=CVE-2018-15711
14 Nov 2018 — Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges. Nagios XI 5.5.6 permite que atacantes autenticados remotos restablezcan y regeneren la clave API de usuarios más privilegiados. El atacante puede emplear la nueva clave API para ejecutar llamadas API con privilegios elevados. • https://www.tenable.com/security/research/tra-2018-37 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 13%CPEs: 1EXPL: 1CVE-2018-15712
https://notcve.org/view.php?id=CVE-2018-15712
14 Nov 2018 — Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in api_tool.php. Nagios XI 5.5.6 permite Cross-Site Scripting (XSS) reflejado de atacantes remotos no autenticados mediante el parámetro host en api_tool.php. • https://www.tenable.com/security/research/tra-2018-37 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 3%CPEs: 1EXPL: 1CVE-2018-15713
https://notcve.org/view.php?id=CVE-2018-15713
14 Nov 2018 — Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in admin/users.php. Nagios XI 5.5.6 permite Cross-Site Scripting (XSS) persistente de atacantes autenticados mediante la dirección de email almacenada en api_tool.php. • https://www.tenable.com/security/research/tra-2018-37 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 24%CPEs: 1EXPL: 1CVE-2018-15714
https://notcve.org/view.php?id=CVE-2018-15714
14 Nov 2018 — Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters. Nagios XI 5.5.6 permite Cross-Site Scripting (XSS) reflejado de atacantes remotos no autenticados mediante los parámetros oname y oname2. • https://www.tenable.com/security/research/tra-2018-37 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •