Filtered by vendor Nagios
Subscriptions
Filtered by product Xi
Subscriptions
Total
84 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34287 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 7.8 High |
| Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary code execution as the nagios user when the script is next run. This improper ownership and permission configuration enables local privilege escalation. | ||||
| CVE-2024-13992 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied input, allowing an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI domain. | ||||
| CVE-2011-10037 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of xiwindow variables used to build permalinks in the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2024-14005 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 8.8 High |
| Nagios XI versions prior to 2024R1.2 contain a command injection vulnerability in the Docker Wizard. Insufficient validation of user-supplied input in the wizard allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user. | ||||
| CVE-2024-14006 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 6.1 Medium |
| Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The application trusts the user-supplied HTTP Host header when constructing absolute URLs without sufficient validation. An unauthenticated, remote attacker can supply a crafted Host header to poison generated links or responses, which may facilitate phishing of credentials, account recovery link hijacking, and web cache poisoning. | ||||
| CVE-2024-13998 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 6.5 Medium |
| Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. CVE-2024-13995 addresses a similar vulnerability with a potentially incomplete fix for the underlying problem in earlier versions. | ||||
| CVE-2024-13997 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 7.2 High |
| Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level attacker could execute actions outside the intended security scope of the application, resulting in full control of the operating system. | ||||
| CVE-2013-10073 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 8.8 High |
| Nagios XI versions prior to 2012R1.6 contain a shell command injection vulnerability in the Auto-Discovery tool. User-controlled input is passed to a shell without adequate sanitation or argument quoting, allowing an authenticated user with access to discovery functionality to execute arbitrary commands with the privileges of the application service. | ||||
| CVE-2024-14002 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.5 Medium |
| Nagios XI versions prior to 2024R1.1.4 contain a local file inclusion (LFI) vulnerability via its NagVis integration. An authenticated user can supply crafted path values that cause the server to include local files, potentially exposing sensitive information from the underlying host. | ||||
| CVE-2013-10074 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2012R2.6 are vulnerable to cross-site scripting (XSS) via the Tools Menu of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2023-7316 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2023-7317 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 8.8 High |
| Nagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Terminal. A remote, low-privileged attacker could access or interact with the terminal interface without sufficient authorization, potentially allowing unauthorized command execution or disclosure of sensitive information. | ||||
| CVE-2023-7318 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2024-13993 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 6.1 Medium |
| Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI origin. The issue is observable under legacy browser behaviors; modern browsers may mitigate some vectors. | ||||
| CVE-2024-13994 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 9.8 Critical |
| Nagios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insecure Logins' option is enabled. Under this configuration, any user can create valid login credentials for other users without proper authorization. This can lead to unauthorized account creation, privilege escalation, or full compromise of the Nagios XI web interface depending on the target account. | ||||
| CVE-2024-13995 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 8.8 High |
| Nagios XI versions prior to 2024R1.1.2 may (confirmed in 2024R1.1 and 2024R1.1.1) disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. | ||||
| CVE-2024-13996 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 9.8 Critical |
| Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change. | ||||
| CVE-2024-13999 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 9.8 Critical |
| Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose the server's Active Directory (AD) or LDAP authentication token to an authenticated user. Exposure of the server’s AD/LDAP token could allow domain-wide authentication misuse, escalation of privileges, or further compromise of network-integrated systems. | ||||
| CVE-2024-14000 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Capacity Planning Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2024-14001 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Executive Summary Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||