Shodan
Vulnerabilities
Vulnerable Software
Nagios:  >> Nagios Xi  >> 5.2.6  Security Vulnerabilities
CVE-2020-35578
An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.
CVSS Score
7.2
EPSS Score
0.904
Published
2021-01-13
CVE-2020-27990
Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent).
CVSS Score
5.4
EPSS Score
0.06
Published
2020-11-16
CVE-2020-27991
Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field).
CVSS Score
5.4
EPSS Score
0.06
Published
2020-11-16
CVE-2020-27988
Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field).
CVSS Score
5.4
EPSS Score
0.302
Published
2020-11-16
CVE-2020-27989
Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard).
CVSS Score
5.4
EPSS Score
0.06
Published
2020-11-16
CVE-2020-28648
Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.
CVSS Score
8.8
EPSS Score
0.087
Published
2020-11-16
CVE-2020-15903
An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3.
CVSS Score
9.8
EPSS Score
0.07
Published
2020-09-09
CVE-2020-15901
In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys.
CVSS Score
8.8
EPSS Score
0.065
Published
2020-07-22
CVE-2020-15902
Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option.
CVSS Score
6.1
EPSS Score
0.428
Published
2020-07-22
CVE-2019-15949
Known exploited
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.
CVSS Score
8.8
EPSS Score
0.887
Published
2019-09-05


Products
Pricing
Contact Us

Shodan ® - All rights reserved