CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47093 – Fix various XSS issues and potential RCE
https://notcve.org/view.php?id=CVE-2024-47093
Improper neutralization of input in Nagvis before version 1.9.42 which can lead to XSS • https://github.com/NagVis/nagvis/commit/30e71e8167d17a1828e7da71d6942f6fb36478cd https://github.com/NagVis/nagvis/commit/b5b1164007439de526df7d54d5c02d7732ba1c42 https://www.nagvis.org/downloads/changelog/1.9.42 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46287
https://notcve.org/view.php?id=CVE-2023-46287
XSS exists in NagVis before 1.9.38 via the select function in share/server/core/functions/html.php. XSS existe en NagVis antes de 1.9.38 a través de la función de selección en share/server/core/functions/html.php. • https://github.com/NagVis/nagvis/compare/nagvis-1.9.37...nagvis-1.9.38 https://github.com/NagVis/nagvis/pull/356 https://github.com/NagVis/nagvis/pull/356/commits/d660591b23e5cfea4d1be2d3fb8f3855aa6020fb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-46945
https://notcve.org/view.php?id=CVE-2022-46945
Nagvis before 1.9.34 was discovered to contain an arbitrary file read vulnerability via the component /core/classes/NagVisHoverUrl.php. • https://github.com/NagVis/nagvis/commit/71aba7f46f79d846e1df037f165d206a2cd1d22a https://github.com/NagVis/nagvis/compare/nagvis-1.9.33...nagvis-1.9.34 https://www.sonarsource.com/blog/checkmk-rce-chain-3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3979 – NagVis CoreLogonMultisite.php checkAuthCookie type conversion
https://notcve.org/view.php?id=CVE-2022-3979
A vulnerability was found in NagVis up to 1.9.33 and classified as problematic. This issue affects the function checkAuthCookie of the file share/server/core/classes/CoreLogonMultisite.php. The manipulation of the argument hash leads to incorrect type conversion. The attack may be initiated remotely. The complexity of an attack is rather high. • https://github.com/NagVis/nagvis/commit/7574fd8a2903282c2e0d1feef5c4876763db21d5 https://github.com/NagVis/nagvis/releases/tag/nagvis-1.9.34 https://vuldb.com/?ctiid.213557 https://vuldb.com/?id.213557 https://www.sonarsource.com/blog/checkmk-rce-chain-2 • CWE-704: Incorrect Type Conversion or Cast •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33178
https://notcve.org/view.php?id=CVE-2021-33178
The Manage Backgrounds functionality within NagVis versions prior to 1.9.29 is vulnerable to an authenticated path traversal vulnerability. Exploitation of this results in a malicious actor having the ability to arbitrarily delete files on the local system. La funcionalidad de gestión de fondos en las versiones de NagVis anteriores a la versiión 1.9.29 es vulnerable a una vulnerabilidad de cruce de ruta autenticada. La explotación de esta vulnerabilidad hace que un actor malintencionado tenga la capacidad de eliminar arbitrariamente archivos en el sistema local • https://nagvis.org/downloads/changelog/1.9.29 https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •