Nagios ≫ Nagios Xi

The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload.

The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arb...

Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lac...

Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.

Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.

Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.

Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.

In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.