CVSS: 9.0EPSS: 14%CPEs: 1EXPL: 2CVE-2020-28648 – Nagios XI / Fusion Privilege Escalation / Cross Site Scripting / Code Execution
https://notcve.org/view.php?id=CVE-2020-28648
Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code. Una comprobación inapropiada de entrada en el componente Auto-Discovery de Nagios XI versiones anteriores a 5.7.5, permite a un atacante autenticado ejecutar código remoto Skylight Cyber has identified a total of 13 vulnerabilities in Nagios XI and Nagios Fusion servers. These include remote code execution, cross site scripting, privilege escalation, and more. • http://packetstormsecurity.com/files/162783/Nagios-XI-Fusion-Privilege-Escalation-Cross-Site-Scripting-Code-Execution.html https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you https://www.nagios.com/downloads/nagios-xi/change-log • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 84%CPEs: 1EXPL: 4CVE-2020-5791 – Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)
https://notcve.org/view.php?id=CVE-2020-5791
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user. Una neutralización inapropiada de elementos especiales utilizados en un comando del Sistema Operativo en Nagios XI versión 5.7.3, permite a un usuario administrador autenticado remoto ejecutar comandos del sistema operativo con los privilegios del usuario de apache • https://www.exploit-db.com/exploits/48959 http://packetstormsecurity.com/files/159743/Nagios-XI-5.7.3-Remote-Command-Injection.html http://packetstormsecurity.com/files/162235/Nagios-XI-5.7.3-Remote-Code-Execution.html https://www.tenable.com/security/research/tra-2020-58 - • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15903
https://notcve.org/view.php?id=CVE-2020-15903
An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3. Se encontró un problema en Nagios XI versiones anteriores a 5.7.3. Se presenta una vulnerabilidad de escalada de privilegios en los scripts del backend que se ejecutaban como root, donde algunos archivos incluidos eran editables por el usuario de nagios. • https://www.nagios.com/downloads/nagios-xi/change-log •
CVSS: 8.8EPSS: 7%CPEs: 1EXPL: 0CVE-2020-15901
https://notcve.org/view.php?id=CVE-2020-15901
In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys. En Nagios XI versiones anteriores a 5.7.3, el archivo ajaxhelper.php permite a atacantes autentificados remotos ejecutar comandos arbitrarios por medio de cmdsubsys • https://insinuator.net/2020/07/security-advisories-for-nagios-xi https://www.nagios.com/downloads/nagios-xi/change-log https://www.nagios.com/products/security •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15902
https://notcve.org/view.php?id=CVE-2020-15902
Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option. Graph Explorer en Nagios XI versiones anteriores a 5.7.2, permite un ataque de tipo XSS por medio de la opción link url • https://insinuator.net/2020/07/security-advisories-for-nagios-xi https://www.nagios.com/downloads/nagios-xi/change-log https://www.nagios.com/products/security • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •