Filtered by vendor Nagios
Subscribe
Total
294 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-53688 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
| Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that executes in the context of a victim's browser (XSS). Additionally, the component does not enforce sufficient anti-CSRF protections on state-changing operations, enabling an attacker to induce authenticated users to perform unwanted actions. | |||||
| CVE-2023-7313 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
| Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bulk Modifications tool. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2023-7314 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
| Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bandwidth Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2023-7315 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
| Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2023-7321 | 1 Nagios | 1 Log Server | 2025-11-05 | N/A | 5.4 MEDIUM |
| Nagios Log Server versions prior to 2.1.14 are vulnerable to cross-site scripting (XSS) via the Snapshots Page. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victim’s browser within the application origin. | |||||
| CVE-2024-13986 | 1 Nagios | 1 Nagios Xi | 2025-11-04 | N/A | 8.8 HIGH |
| Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user. | |||||
| CVE-2021-25296 | 1 Nagios | 1 Nagios Xi | 2025-11-03 | 9.0 HIGH | 8.8 HIGH |
| Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. | |||||
| CVE-2021-25297 | 1 Nagios | 1 Nagios Xi | 2025-11-03 | 9.0 HIGH | 8.8 HIGH |
| Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. | |||||
| CVE-2021-25298 | 1 Nagios | 1 Nagios Xi | 2025-11-03 | 9.0 HIGH | 8.8 HIGH |
| Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. | |||||
| CVE-2025-34227 | 1 Nagios | 1 Nagios Xi | 2025-10-14 | N/A | 8.8 HIGH |
| Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user. | |||||
| CVE-2025-56432 | 1 Nagios | 1 Nagios Xi | 2025-09-09 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data. | |||||
| CVE-2025-28131 | 1 Nagios | 1 Network Analyzer | 2025-07-11 | N/A | 4.6 MEDIUM |
| A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with "Read-Only" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability. | |||||
| CVE-2025-28059 | 1 Nagios | 1 Network Analyzer | 2025-07-11 | N/A | 7.5 HIGH |
| An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions. | |||||
| CVE-2023-48082 | 1 Nagios | 1 Nagios Xi | 2025-07-10 | N/A | 9.1 CRITICAL |
| Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate. | |||||
| CVE-2024-54957 | 1 Nagios | 1 Nagios Xi | 2025-07-07 | N/A | 6.1 MEDIUM |
| Nagios XI 2024R1.2.2 is vulnerable to an open redirect flaw on the Tools page, exploitable by users with read-only permissions. This vulnerability allows an attacker to craft a malicious link that redirects users to an arbitrary external URL without their consent. | |||||
| CVE-2024-54960 | 1 Nagios | 1 Nagios Xi | 2025-07-07 | N/A | 6.5 MEDIUM |
| A SQL Injection vulnerability in Nagios XI 2024R1.2.2 allows a remote attacker to execute SQL injection via a crafted payload in the History Tab component. | |||||
| CVE-2024-54959 | 1 Nagios | 1 Nagios Xi | 2025-07-01 | N/A | 6.1 MEDIUM |
| Nagios XI 2024R1.2.2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack through the Favorites component, enabling POST-based Cross-Site Scripting (XSS). | |||||
| CVE-2024-54958 | 1 Nagios | 1 Nagios Xi | 2025-07-01 | N/A | 6.1 MEDIUM |
| Nagios XI 2024R1.2.2 is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the Tools page. This flaw allows an attacker to inject malicious scripts into the Tools interface, which are then stored and executed in the context of other users accessing the page. | |||||
| CVE-2024-33775 | 1 Nagios | 1 Nagios Xi | 2025-06-30 | N/A | 9.8 CRITICAL |
| An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet. | |||||
| CVE-2024-24401 | 1 Nagios | 1 Nagios Xi | 2025-06-27 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component. | |||||