CVE-2021-40344
Severity Score
7.2
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.
Se ha detectado un problema en Nagios XI versión 5.8.5. En la sección Custom Includes del panel de administración, un administrador puede subir archivos con extensiones arbitrarias siempre que el tipo MIME corresponda a una imagen. Por lo tanto, es posible subir un script PHP diseñado para lograr una ejecución remota de comandos
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-08-31 CVE Reserved
- 2021-10-26 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-11-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://synacktiv.com | Not Applicable |
| URL | Date | SRC |
|---|---|---|
| https://www.synacktiv.com/sites/default/files/2021-10/Nagios_XI_multiple_vulnerabilities_0.pdf | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT | 2021-11-02 |