Filtered by vendor Nagios
Subscriptions
Total
300 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-14009 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 7.2 High |
| Nagios XI versions prior to 2024R1.0.1 contain a privilege escalation vulnerability in the System Profile component. The System Profile feature is an administrative diagnostic/configuration capability. Due to improper access controls and unsafe handling of exported/imported profile data and operations, an authenticated administrator could exploit this vulnerability to execute actions on the underlying XI host outside the application's security scope. Successful exploitation may allow an administrator to obtain root privileges on the XI server. | ||||
| CVE-2025-34135 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 4.4 Medium |
| Nagios XI versions prior to 2024R1.4.2 configure some systemd unit files with permission sets that were too permissive. In particular, the nagios.service unit had executable permissions that were not required. Overly permissive permissions on service unit files can broaden local attack surface by enabling unintended execution behaviors or facilitating abuse of service operations when combined with other weaknesses. | ||||
| CVE-2025-34278 | 1 Nagios | 1 Network Analyzer | 2025-11-06 | 5.4 Medium |
| Nagios Network Analyzer versions prior to 2024R1 contain a stored cross-site scripting (XSS) vulnerability in the Source Groups page (percentile calculator menu). An attacker can supply a malicious payload which is stored by the application and later rendered in the context of other users. When a victim views the affected page the injected script executes in the victim's browser context. | ||||
| CVE-2025-34280 | 1 Nagios | 1 Network Analyzer | 2025-11-06 | 7.2 High |
| Nagios Network Analyzer versions prior to 2024R2.0.1 contain a vulnerability in the LDAP certificate management functionality whereby the certificate removal operation fails to apply adequate input sanitation. An authenticated administrator can trigger command execution on the underlying host in the context of the web application service, resulting in remote code execution with the service's privileges. | ||||
| CVE-2025-34283 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 6.5 Medium |
| Nagios XI versions prior to 2024R1.4.2 revealed API keys to users who were not authorized for API access when using Neptune themes. An authenticated user without API privileges could view another user's or their own API key value. | ||||
| CVE-2025-34284 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 8.8 High |
| Nagios XI versions prior to 2024R2 contain a command injection vulnerability in the WinRM plugin. Insufficient validation of user-supplied parameters allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to modify configuration, exfiltrate data, disrupt monitoring operations, or execute commands on the underlying host operating system. | ||||
| CVE-2025-34286 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 7.2 High |
| Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. Insufficient validation/escaping of parameters used to build backend command lines allows an authenticated administrator to inject shell metacharacters that are executed on the server. Successful exploitation results in arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to gain control of the underlying host operating system. | ||||
| CVE-2025-34287 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 7.8 High |
| Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary code execution as the nagios user when the script is next run. This improper ownership and permission configuration enables local privilege escalation. | ||||
| CVE-2024-13992 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied input, allowing an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI domain. | ||||
| CVE-2011-10037 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of xiwindow variables used to build permalinks in the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2012-10063 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 9.8 Critical |
| Nagios XI versions prior to 2012R1.3 contain a SQL injection vulnerability in the legacy Core Configuration Manager (CCM) interface. Authenticated users could manipulate SQL queries by supplying crafted input to specific CCM parameters, potentially allowing access to configuration data stored in the application database. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly. | ||||
| CVE-2011-10040 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the link-handling functions used by status and report pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2011-10039 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the Alert Heatmap report and the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2011-10038 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2011-10036 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of the "backend_url" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2011-10035 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 7.0 High |
| Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts that install or update system crontab entries. Due to time-of-check/time-of-use race conditions and missing synchronization or final-path validation, a local low-privileged user could manipulate filesystem state during crontab installation to influence the files or commands executed with elevated privileges, resulting in execution with higher privileges. | ||||
| CVE-2025-60424 | 1 Nagios | 1 Fusion | 2025-11-05 | 7.6 High |
| A lack of rate limiting in the OTP verification component of Nagios Fusion v2024R1.2 and v2024R2 allows attackers to bypass authentication via a bruteforce attack. | ||||
| CVE-2025-60425 | 1 Nagios | 1 Fusion | 2025-11-05 | 8.6 High |
| Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack. | ||||
| CVE-2016-15054 | 1 Nagios | 1 Xi | 2025-11-05 | N/A |
| Nagios XI versions prior to 5.4.0 are vulnerable to cross-site scripting (XSS) via the jQuery Migrate library. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2016-15049 | 1 Nagios | 1 Log Server | 2025-11-05 | 5.4 Medium |
| Nagios Log Server versions prior to 1.4.2 are vulnerable to cross-site scripting (XSS) in the Dashboards section when rendering log entries in the Logs table. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victim’s browser within the application origin. | ||||