Filtered by vendor Nagios
Subscribe
Total
292 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15949 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | 9.0 HIGH | 8.8 HIGH |
| Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root. | |||||
| CVE-2025-34277 | 1 Nagios | 1 Log Server | 2025-11-06 | N/A | 9.8 CRITICAL |
| Nagios Log Server versions prior to 2024R1.3.1 contain a code injection vulnerability where malformed dashboard ID values are not properly validated before being forwarded to an internal API. An attacker able to supply crafted dashboard ID values can cause the system to execute attacker-controlled data, leading to arbitrary code execution in the context of the Log Server process. | |||||
| CVE-2025-34298 | 1 Nagios | 1 Log Server | 2025-11-06 | N/A | 8.8 HIGH |
| Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed intended access controls. | |||||
| CVE-2024-13998 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 6.5 MEDIUM |
| Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. CVE-2024-13995 addresses a similar vulnerability with a potentially incomplete fix for the underlying problem in earlier versions. | |||||
| CVE-2024-13997 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 7.2 HIGH |
| Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level attacker could execute actions outside the intended security scope of the application, resulting in full control of the operating system. | |||||
| CVE-2013-10073 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 8.8 HIGH |
| Nagios XI versions prior to 2012R1.6 contain a shell command injection vulnerability in the Auto-Discovery tool. User-controlled input is passed to a shell without adequate sanitation or argument quoting, allowing an authenticated user with access to discovery functionality to execute arbitrary commands with the privileges of the application service. | |||||
| CVE-2024-14002 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 5.5 MEDIUM |
| Nagios XI versions prior to 2024R1.1.4 contain a local file inclusion (LFI) vulnerability via its NagVis integration. An authenticated user can supply crafted path values that cause the server to include local files, potentially exposing sensitive information from the underlying host. | |||||
| CVE-2013-10074 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 5.4 MEDIUM |
| Nagios XI versions prior to 2012R2.6 are vulnerable to cross-site scripting (XSS) via the Tools Menu of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2023-7316 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 5.4 MEDIUM |
| Nagios XI versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2023-7317 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 8.8 HIGH |
| Nagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Terminal. A remote, low-privileged attacker could access or interact with the terminal interface without sufficient authorization, potentially allowing unauthorized command execution or disclosure of sensitive information. | |||||
| CVE-2023-7318 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 5.4 MEDIUM |
| Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2023-7322 | 1 Nagios | 1 Log Server | 2025-11-06 | N/A | 8.1 HIGH |
| Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked the required API permission were nevertheless able to invoke API endpoints, resulting in unintended access to data and actions exposed via the API. This incorrect authorization check could allow authenticated but non-privileged users to read or modify resources beyond their intended rights. | |||||
| CVE-2023-7323 | 1 Nagios | 1 Log Server | 2025-11-06 | N/A | 5.4 MEDIUM |
| Nagios Log Server versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Create User function. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2024-13993 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 6.1 MEDIUM |
| Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI origin. The issue is observable under legacy browser behaviors; modern browsers may mitigate some vectors. | |||||
| CVE-2024-13994 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 9.8 CRITICAL |
| Nagios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insecure Logins' option is enabled. Under this configuration, any user can create valid login credentials for other users without proper authorization. This can lead to unauthorized account creation, privilege escalation, or full compromise of the Nagios XI web interface depending on the target account. | |||||
| CVE-2024-13995 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 8.8 HIGH |
| Nagios XI versions prior to 2024R1.1.2 may (confirmed in 2024R1.1 and 2024R1.1.1) disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. | |||||
| CVE-2024-13996 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 9.8 CRITICAL |
| Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change. | |||||
| CVE-2024-13999 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 9.8 CRITICAL |
| Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose the server's Active Directory (AD) or LDAP authentication token to an authenticated user. Exposure of the server’s AD/LDAP token could allow domain-wide authentication misuse, escalation of privileges, or further compromise of network-integrated systems. | |||||
| CVE-2024-14000 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 5.4 MEDIUM |
| Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Capacity Planning Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2024-14001 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 5.4 MEDIUM |
| Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Executive Summary Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||