Nagios: Security Vulnerabilities
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
CVSS Score
9.8
EPSS Score
0.537
Published
2018-04-18
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.
CVSS Score
8.8
EPSS Score
0.646
Published
2018-04-18
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
CVSS Score
8.8
EPSS Score
0.474
Published
2018-04-18
Cross-site scripting (XSS) vulnerability in Nagios Business Process Intelligence (BPI) before 2.3.4 allows remote attackers to inject arbitrary web script or HTML via vectors involving index.php.
CVSS Score
6.1
EPSS Score
0.014
Published
2018-02-06
Nagios Core through 4.3.4 initially executes /usr/sbin/nagios as root but supports configuration options in which this file is owned by a non-root account (and similarly can have nagios.cfg owned by a non-root account), which allows local users to gain privileges by leveraging access to this non-root account.
CVSS Score
7.8
EPSS Score
0.003
Published
2017-09-11
Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill `cat /pathname/nagios.lock`" command.
CVSS Score
6.3
EPSS Score
0.008
Published
2017-08-23
The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
CVSS Score
9.8
EPSS Score
0.023
Published
2017-06-06
The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796.
CVSS Score
9.8
EPSS Score
0.045
Published
2017-03-31
Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008.
CVSS Score
9.8
EPSS Score
0.047
Published
2017-03-31
Cross-site scripting (XSS) vulnerability in Nagios.
CVSS Score
6.1
EPSS Score
0.018
Published
2017-03-31