CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15903
https://notcve.org/view.php?id=CVE-2020-15903
An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3. Se encontró un problema en Nagios XI versiones anteriores a 5.7.3. Se presenta una vulnerabilidad de escalada de privilegios en los scripts del backend que se ejecutaban como root, donde algunos archivos incluidos eran editables por el usuario de nagios. • https://www.nagios.com/downloads/nagios-xi/change-log •
CVSS: 8.8EPSS: 7%CPEs: 1EXPL: 0CVE-2020-15901
https://notcve.org/view.php?id=CVE-2020-15901
In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys. En Nagios XI versiones anteriores a 5.7.3, el archivo ajaxhelper.php permite a atacantes autentificados remotos ejecutar comandos arbitrarios por medio de cmdsubsys • https://insinuator.net/2020/07/security-advisories-for-nagios-xi https://www.nagios.com/downloads/nagios-xi/change-log https://www.nagios.com/products/security •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15902
https://notcve.org/view.php?id=CVE-2020-15902
Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option. Graph Explorer en Nagios XI versiones anteriores a 5.7.2, permite un ataque de tipo XSS por medio de la opción link url • https://insinuator.net/2020/07/security-advisories-for-nagios-xi https://www.nagios.com/downloads/nagios-xi/change-log https://www.nagios.com/products/security • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 32%CPEs: 1EXPL: 4CVE-2019-15949 – Nagios XI Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-15949
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root. • https://www.exploit-db.com/exploits/48191 http://packetstormsecurity.com/files/156676/Nagios-XI-Authenticated-Remote-Command-Execution.html http://packetstormsecurity.com/files/162158/Nagios-XI-getprofile.sh-Remote-Command-Execution.html https://github.com/jakgibb/nagiosxi-root-rce-exploit - • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17147
https://notcve.org/view.php?id=CVE-2018-17147
Nagios XI before 5.5.4 has XSS in the auto login admin management page. Nagios XI versiones anterior a 5.5.4, presenta un problema de tipo XSS en la página de administración admin de inicio de sesión automático. • http://www.securityfocus.com/bid/109116 https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •