Nagios ≫ Nagios Xi

Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option.

Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter.

Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter.

Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter.

In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.

In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user.

Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profil...

Nagios XI before 5.5.4 has XSS in the auto login admin management page.

A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin...

An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidentia...