Filtered by vendor Nagios
Subscribe
Total
301 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-15049 | 1 Nagios | 1 Log Server | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios Log Server versions prior to 1.4.2 are vulnerable to cross-site scripting (XSS) in the Dashboards section when rendering log entries in the Logs table. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victim’s browser within the application origin.
|
|||||
| CVE-2016-15050 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 8.8 HIGH |
|
Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search functionality. User-supplied search parameters were incorporated into SQL statements without adequate parameterization or sanitation, allowing an authenticated user to manipulate database queries. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly.
|
|||||
| CVE-2016-15051 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2016-15052 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Menu System of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2016-15053 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2018-25121 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.4.13 are vulnerable to cross-site scripting (XSS) via the Views page of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2018-25122 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 8.8 HIGH |
|
Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Download page. The download/import handler used unsafe command construction with attacker-controlled input and lacked sufficient validation and output encoding, allowing an authenticated user to inject commands or otherwise execute arbitrary code with the privileges of the application service.
|
|||||
| CVE-2018-25123 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 7.8 HIGH |
|
Nagios XI versions prior to 5.5.7 contain a privilege escalation vulnerability in the MRTG graphing component. MRTG-related processes/scripts executed with excessive privileges, allowing a local attacker with limited system access to abuse file/command execution paths or writable resources to gain elevated privileges.
|
|||||
| CVE-2020-36856 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 8.8 HIGH |
|
Nagios XI versions prior to 5.6.14 contain an authenticated remote command execution vulnerability in the CCM command_test.php script. Insufficient validation of the `address` parameter allows an authenticated user with access to the Core Config Manager to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user and may be leveraged to execute commands ...
Show More |
|||||
| CVE-2020-36857 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 7.2 HIGH |
|
Nagios XI versions prior to 5.6.14 contain a post-authentication SQL injection vulnerability in the SNMP Trap Interface page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized disclosure or modification of application data or execution of arbitrary SQL commands against the backend database.
|
|||||
| CVE-2020-36858 | 1 Nagios | 1 Log Server | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios Log Server versions prior to 2.1.6 contain cross-site scripting (XSS) vulnerabilities via the web interface on the Create User, Edit User, and Manage Host Lists pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2020-36862 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 6.1 MEDIUM |
|
Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local exporting tool. Crafted export requests could (1) inject script into exported/returned content due to insufficient output encoding (XSS), and (2) cause the server to fetch attacker-specified URLs (SSRF), potentially accessing internal network resources. An unauthenticated remote attacker can leverage these issues to execute script in a user's browser when the exported content is viewed and to discl ...
Show More |
|||||
| CVE-2020-36863 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 8.8 HIGH |
|
Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the web server permitted execution within the upload directory. An authenticated attacker with access to the audio import feature could upload a crafted PHP file and then request it to achieve remote code execution with the privileges of the application service.
|
|||||
| CVE-2020-36864 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the background color settings in Dashboards. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2020-36865 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the BPI (Business Process Intelligence) component’s Config Management and Edit Config page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2020-36867 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 8.8 HIGH |
|
Nagios XI versions prior to 5.7.3 contain a command injection vulnerability in the report PDF download/export functionality. User-supplied values used in the PDF generation pipeline or the wrapper that invokes offline/pdf helper utilities were insufficiently validated or improperly escaped, allowing an authenticated attacker who can trigger PDF exports to inject shell metacharacters or arguments.
|
|||||
| CVE-2020-36868 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 7.8 HIGH |
|
Nagios XI versions prior to 5.7.3 contain a privilege escalation vulnerability in the getprofile.sh helper script. The script performed profile retrieval and initialization routines using insecure file/command handling and insufficient validation of attacker-controlled inputs, and in some deployments executed with elevated privileges. A local attacker with low-level access could exploit these weaknesses to cause the script to execute arbitrary commands or modify privileged files, resulting in pr ...
Show More |
|||||
| CVE-2020-36869 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 7.2 HIGH |
|
Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized disclosure or modification of application data or execution of arbitrary SQL commands against the backend database.
|
|||||
| CVE-2021-47695 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.8.0 are vulnerable to stored cross-site scripting (XSS) via the My Tools page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2021-47696 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via BPI config ID handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2021-47697 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via the Views feature URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2021-47699 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.8.7 are vulnerable to cross-site scripting (XSS) via the Audit Log page’s Send to NLS form. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2021-47700 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 7.8 HIGH |
|
Nagios XI versions prior to 5.8.7 used a temporary directory for Highcharts exports with overly permissive ownership/permissions under the Apache user. Local or co-hosted processes could read/overwrite export artifacts or manipulate paths, risking disclosure or tampering and potential code execution depending on deployment.
|
|||||
| CVE-2022-50586 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the BPI component via the info URL field. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2022-50587 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) via the Apply Configuration error text. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2022-50588 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the update checking feature. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2023-53688 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that executes in the context of a victim's browser (XSS). Additionally, the component does not enforce sufficient anti-CSRF protections on state-changing operations, enabling an attacker to induce authenticated users to perform ...
Show More |
|||||
| CVE-2023-7313 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bulk Modifications tool. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2023-7314 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bandwidth Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2023-7315 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
|
|||||
| CVE-2023-7321 | 1 Nagios | 1 Log Server | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios Log Server versions prior to 2.1.14 are vulnerable to cross-site scripting (XSS) via the Snapshots Page. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victim’s browser within the application origin.
|
|||||
| CVE-2024-13986 | 1 Nagios | 1 Nagios Xi | 2025-11-04 | N/A | 8.8 HIGH |
|
Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.
|
|||||
| CVE-2021-25296 | 1 Nagios | 1 Nagios Xi | 2025-11-03 | 9.0 HIGH | 8.8 HIGH |
|
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
|
|||||
| CVE-2021-25297 | 1 Nagios | 1 Nagios Xi | 2025-11-03 | 9.0 HIGH | 8.8 HIGH |
|
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
|
|||||
| CVE-2021-25298 | 1 Nagios | 1 Nagios Xi | 2025-11-03 | 9.0 HIGH | 8.8 HIGH |
|
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
|
|||||
| CVE-2025-34227 | 1 Nagios | 1 Nagios Xi | 2025-10-14 | N/A | 8.8 HIGH |
|
Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.
|
|||||
| CVE-2025-56432 | 1 Nagios | 1 Nagios Xi | 2025-09-09 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data.
|
|||||
| CVE-2025-28131 | 1 Nagios | 1 Network Analyzer | 2025-07-11 | N/A | 4.6 MEDIUM |
|
A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with "Read-Only" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability.
|
|||||
| CVE-2025-28059 | 1 Nagios | 1 Network Analyzer | 2025-07-11 | N/A | 7.5 HIGH |
|
An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.
|
|||||
| CVE-2023-48082 | 1 Nagios | 1 Nagios Xi | 2025-07-10 | N/A | 9.1 CRITICAL |
|
Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate.
|
|||||