CVSS: 5.4EPSS: 3%CPEs: 1EXPL: 1CVE-2018-15713
https://notcve.org/view.php?id=CVE-2018-15713
14 Nov 2018 — Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in admin/users.php. Nagios XI 5.5.6 permite Cross-Site Scripting (XSS) persistente de atacantes autenticados mediante la dirección de email almacenada en api_tool.php. • https://www.tenable.com/security/research/tra-2018-37 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 24%CPEs: 1EXPL: 1CVE-2018-15714
https://notcve.org/view.php?id=CVE-2018-15714
14 Nov 2018 — Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters. Nagios XI 5.5.6 permite Cross-Site Scripting (XSS) reflejado de atacantes remotos no autenticados mediante los parámetros oname y oname2. • https://www.tenable.com/security/research/tra-2018-37 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 78%CPEs: 2EXPL: 1CVE-2018-10735
https://notcve.org/view.php?id=CVE-2018-10735
16 May 2018 — A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter. Se ha descubierto un problema de inyección SQL en Nagios XI en versiones anteriores a la 5.4.13 mediante el parámetro cname en admin/commandline.php. • https://www.seebug.org/vuldb/ssvid-97265 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 70%CPEs: 2EXPL: 1CVE-2018-10736
https://notcve.org/view.php?id=CVE-2018-10736
16 May 2018 — A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter. Se ha descubierto un problema de inyección SQL en Nagios XI en versiones anteriores a la 5.4.13 mediante el parámetro key1 en admin/info.php. • https://www.seebug.org/vuldb/ssvid-97266 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 70%CPEs: 2EXPL: 1CVE-2018-10737
https://notcve.org/view.php?id=CVE-2018-10737
16 May 2018 — A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter. Se ha descubierto un problema de inyección SQL en Nagios XI en versiones anteriores a la 5.4.13 mediante el parámetro txtSearch en admin/logbook.php. • https://www.seebug.org/vuldb/ssvid-97267 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 70%CPEs: 2EXPL: 1CVE-2018-10738
https://notcve.org/view.php?id=CVE-2018-10738
16 May 2018 — A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter. Se ha descubierto un problema de inyección SQL en Nagios XI en versiones anteriores a la 5.4.13 mediante el parámetro chbKey1 en admin/menuaccess.php. • https://www.seebug.org/vuldb/ssvid-97268 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 4%CPEs: 1EXPL: 0CVE-2018-10553
https://notcve.org/view.php?id=CVE-2018-10553
30 Apr 2018 — An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to read local files, as demonstrated by URIs beginning with index.php?xiwindow=./ and config/?xiwindow=../ substrings. Se ha descubierto un problema en Nagios XI 5.4.13. • http://code610.blogspot.com/2018/04/few-bugs-in-latest-nagios-xi-5413.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 2%CPEs: 1EXPL: 1CVE-2018-10554
https://notcve.org/view.php?id=CVE-2018-10554
30 Apr 2018 — An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter. Se ha descubierto un problema en Nagios XI 5.4.13. Hay Cross-Site Scripting ... • http://code610.blogspot.com/2018/04/few-bugs-in-latest-nagios-xi-5413.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 79%CPEs: 1EXPL: 5CVE-2018-8733 – Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-8733
18 Apr 2018 — Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability. Vulnerabilidad de omisión de autenticación en el gestor core config en Nagios XI, en versiones 5.2.x hasta la 5.4.x anteriores a la 5.4.13, permite que un atacante no autenticado realice cambios en la configuración y aproveche una vulnerabilidad de inyección SQL autenticada. • https://packetstorm.news/files/id/148374 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 79%CPEs: 1EXPL: 5CVE-2018-8734 – Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-8734
18 Apr 2018 — SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter. Vulnerabilidad de inyección SQL en el gestor core config en Nagios XI, en versiones 5.2.x hasta la 5.4.x anteriores a la 5.4.13, permite que un atacante ejecute comandos SQL arbitrarios mediante el parámetro selInfoKey1. • https://packetstorm.news/files/id/148374 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •