CVSS: 9.0EPSS: 96%CPEs: 1EXPL: 4CVE-2021-25298 – Nagios XI OS Command Injection
https://notcve.org/view.php?id=CVE-2021-25298
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. Nagios XI versión xi-5.7.5, esta afectada por una inyección de comandos del Sistema Operativo. La vulnerabilidad se presenta en el archivo /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php debido a un saneamiento inapropiado de la entrada controlada por el usuario autenticado mediante una única petición HTTP, lo que puede conducir a una inyección de comandos del Sistema Operativo en el servidor de Nagios XI Nagios XI version 5.7.5 suffers from a cross site scripting and multiple remote code execution vulnerabilities. Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. • http://nagios.com http://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.html http://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.html https://assets.nagios.com/downloads/nagiosxi/versions.php https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md https://www.fastly.com/blog/anatomy-of-a-command-injection-cve-2021-25296-7-8-with-metasploit-module-and •
CVSS: 9.0EPSS: 94%CPEs: 1EXPL: 3CVE-2020-35578 – Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)
https://notcve.org/view.php?id=CVE-2020-35578
An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands. Se detectó un problema en la página Manage Plugins en Nagios XI versiones anteriores a 5.8.0. Debido a que la funcionalidad line-ending conversion es manejada inapropiadamente durante la carga de un plugin, un usuario administrador autenticado y remoto puede ejecutar comandos del sistema operativo. • https://www.exploit-db.com/exploits/49422 http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.html http://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.html https://www.nagios.com/downloads/nagios-xi/change-log https://www.nagios.com/products/security - • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 60%CPEs: 17EXPL: 2CVE-2013-6875 – Nagios XI - 'tfPassword' SQL Injection
https://notcve.org/view.php?id=CVE-2013-6875
SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php. Vulnerabilidad de inyección de SQL en functions/prepend_adm.php de Nagios Core Config Manager de Nagios XI anterior a la versión 2012R2.4 permite a atacantes remotos ejecutar comandos SQL a través del parámetro tfPassword hacia nagiosql/index.php. • https://www.exploit-db.com/exploits/38827 http://assets.nagios.com/downloads/nagiosxi/CHANGES-2012.TXT http://secunia.com/advisories/55695 http://www.security-assessment.com/files/documents/advisory/NagiosQL%20Core%20Config%20Manager%20SQL%20Injection%20Vulnerability%20Advisory%20-%20DA.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •