IDCVSSSummaryLast (major) updatePublished
CVE-2018-17147 3.5
Nagios XI before 5.5.4 has XSS in the auto login admin management page.
10-07-2019 - 11:38 10-07-2019 - 10:15
CVE-2018-17148 5.0
An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidentia
19-06-2019 - 15:16 19-06-2019 - 14:15
CVE-2018-17146 3.5
A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin
19-06-2019 - 15:16 19-06-2019 - 14:15
CVE-2019-12279 7.5
Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form).
22-05-2019 - 12:29 22-05-2019 - 12:29
CVE-2019-9167 4.3
Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.
28-03-2019 - 16:29 28-03-2019 - 16:29
CVE-2019-9166 7.2
Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php.
28-03-2019 - 16:29 28-03-2019 - 16:29
CVE-2019-9165 7.5
SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.
28-03-2019 - 15:29 28-03-2019 - 15:29
CVE-2019-9164 6.5
Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job.
28-03-2019 - 13:29 28-03-2019 - 13:29
CVE-2018-20172 4.3
An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability.
17-12-2018 - 10:29 17-12-2018 - 10:29
CVE-2018-20171 4.3
An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability.
17-12-2018 - 10:29 17-12-2018 - 10:29
CVE-2018-18245 3.5
Nagios Core 4.4.2 has XSS via the alert summary reports of plugin results, as demonstrated by a SCRIPT element delivered by a modified check_load plugin to NRPE.
17-12-2018 - 10:29 17-12-2018 - 10:29
CVE-2018-15714 4.3
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters.
14-11-2018 - 13:29 14-11-2018 - 13:29
CVE-2018-15713 3.5
Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in admin/users.php.
14-11-2018 - 13:29 14-11-2018 - 13:29
CVE-2018-15712 4.3
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in api_tool.php.
14-11-2018 - 13:29 14-11-2018 - 13:29
CVE-2018-15711 6.5
Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges.
14-11-2018 - 13:29 14-11-2018 - 13:29
CVE-2018-15710 7.2
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.
14-11-2018 - 13:29 14-11-2018 - 13:29
CVE-2018-15709 6.5
Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request.
14-11-2018 - 13:29 14-11-2018 - 13:29
CVE-2018-15708 7.5
Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.
14-11-2018 - 13:29 14-11-2018 - 13:29
CVE-2016-8641 7.2
A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the file
01-08-2018 - 10:29 01-08-2018 - 10:29
CVE-2018-13458 4.3
qh_core in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
12-07-2018 - 14:29 12-07-2018 - 14:29
CVE-2018-13457 4.3
qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
12-07-2018 - 14:29 12-07-2018 - 14:29
CVE-2018-13441 2.1
qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
12-07-2018 - 14:29 12-07-2018 - 14:29
CVE-2018-10738 6.5
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.
16-05-2018 - 09:29 16-05-2018 - 09:29
CVE-2018-10737 6.5
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.
16-05-2018 - 09:29 16-05-2018 - 09:29
CVE-2018-10736 6.5
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
16-05-2018 - 09:29 16-05-2018 - 09:29
CVE-2018-10735 6.5
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.
16-05-2018 - 09:29 16-05-2018 - 09:29
CVE-2018-10554 3.5
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, relat
29-04-2018 - 23:29 29-04-2018 - 23:29
CVE-2018-10553 4.0
An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to read local files, as demonstrated by URIs beginning with index.php?xiwindow=./ and config/?xiwindow=../ substrings.
29-04-2018 - 23:29 29-04-2018 - 23:29
CVE-2018-8736 9.0
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
17-04-2018 - 20:29 17-04-2018 - 20:29
CVE-2018-8735 9.0
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.
17-04-2018 - 20:29 17-04-2018 - 20:29
CVE-2018-8734 7.5
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
17-04-2018 - 20:29 17-04-2018 - 20:29
CVE-2018-8733 7.5
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.
17-04-2018 - 20:29 17-04-2018 - 20:29
CVE-2017-14312 7.2
Nagios Core through 4.3.4 initially executes /usr/sbin/nagios as root but supports configuration options in which this file is owned by a non-root account (and similarly can have nagios.cfg owned by a non-root account), which allows local users to ga
11-09-2017 - 18:29 11-09-2017 - 18:29
CVE-2017-12847 6.3
Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a roo
23-08-2017 - 17:29 23-08-2017 - 17:29
CVE-2016-0726 7.5
The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
06-06-2017 - 14:29 06-06-2017 - 14:29
CVE-2016-6209 4.3
Cross-site scripting (XSS) vulnerability in Nagios.
04-04-2017 - 14:46 31-03-2017 - 12:59
CVE-2014-5009 7.5
Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008.
04-04-2017 - 13:19 31-03-2017 - 12:59
CVE-2008-7313 7.5
The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796.
04-04-2017 - 13:19 31-03-2017 - 12:59
CVE-2016-10089 7.2
Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641.
17-02-2017 - 09:07 15-02-2017 - 10:59
CVE-2013-4214 6.3
rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache.
19-12-2016 - 21:59 23-11-2013 - 12:55
CVE-2016-9565 7.5
MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an
16-12-2016 - 14:11 15-12-2016 - 17:59
CVE-2016-9566 7.2
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
16-12-2016 - 14:10 15-12-2016 - 17:59
CVE-2008-5028 6.8
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send commands to the Nagios process, and trigger execution of arbitrary programs by this process, via unspecifi
07-12-2016 - 22:01 10-11-2008 - 10:23
CVE-2008-5027 6.5
The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote authenticated users to bypass authorization checks, and trigger execution of arbitrary programs by this process, via an (a) custom form or a (b) browser addo
07-12-2016 - 22:01 10-11-2008 - 10:23
CVE-2014-4703 2.1
lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain sensitive information via a symlink attack on the configuration file in the extra-opts flag. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4701.
28-11-2016 - 14:12 05-12-2014 - 11:59
CVE-2014-4702 2.1
The check_icmp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4701.
28-11-2016 - 14:12 05-12-2014 - 11:59
CVE-2014-4701 2.1
The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4702.
28-11-2016 - 14:12 05-12-2014 - 11:59
CVE-2013-7205 6.4
Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long str
28-11-2016 - 14:10 15-01-2014 - 11:08
CVE-2013-7108 5.5
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (
28-11-2016 - 14:10 15-01-2014 - 11:08
CVE-2014-1878 5.0
Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation f
28-02-2014 - 13:27 28-02-2014 - 10:13
CVE-2013-2214 4.0
status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does not properly restrict access to certain users that are a contact for a service, which allows remote authenticated users to obtain sensitive information about hostnames via the servic
25-02-2014 - 09:54 10-02-2014 - 18:55
CVE-2013-6875 7.5
SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php.
27-11-2013 - 09:58 26-11-2013 - 11:55
CVE-2012-6096 7.5
Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long
04-06-2013 - 23:40 22-01-2013 - 18:55
CVE-2011-2179 4.3
Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command ac
21-11-2011 - 22:56 14-06-2011 - 13:55
CVE-2011-1523 4.3
Cross-site scripting (XSS) vulnerability in statusmap.c in statusmap.cgi in Nagios 3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the layer parameter.
21-09-2011 - 23:30 03-05-2011 - 15:55
CVE-2008-1360 4.3
Cross-site scripting (XSS) vulnerability in Nagios before 2.11 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts, a different issue than CVE-2007-5624.
07-03-2011 - 22:06 17-03-2008 - 13:44
CVE-2007-5803 4.3
Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in Nagios before 2.12 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-5624 and CVE-2008-1360.
07-03-2011 - 22:01 13-05-2008 - 19:20
CVE-2007-5624 4.3
Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.
07-03-2011 - 22:01 23-10-2007 - 12:46
CVE-2006-2489 7.5
Integer overflow in CGI scripts in Nagios 1.x before 1.4.1 and 2.x before 2.3.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a content length (Content-Length) HTTP header. NOTE: this is a diffe
07-03-2011 - 21:36 19-05-2006 - 19:02
CVE-2006-2162 5.0
Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header.
07-03-2011 - 21:35 03-05-2006 - 17:02
CVE-2009-2288 7.5
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters.
03-04-2010 - 01:30 01-07-2009 - 09:00
CVE-2008-6373 5.0
Unspecified vulnerability in Nagios before 3.0.6 has unspecified impact and remote attack vectors related to CGI programs, "adaptive external commands," and "writing newlines and submitting service comments."
22-07-2009 - 15:05 02-03-2009 - 14:30
CVE-2002-1959 10.0
Nagios 1.0b1 through 1.0b3 allows remote attackers to execute arbitrary commands via shell metacharacters in plugin output.
05-09-2008 - 16:31 31-12-2002 - 00:00
Back to Top Mark selected
Back to Top