Filtered by vendor Nagios
Subscriptions
Total
300 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13999 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 9.8 Critical |
| Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose the server's Active Directory (AD) or LDAP authentication token to an authenticated user. Exposure of the server’s AD/LDAP token could allow domain-wide authentication misuse, escalation of privileges, or further compromise of network-integrated systems. | ||||
| CVE-2024-14000 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Capacity Planning Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2024-14001 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Executive Summary Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2024-14003 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 9.8 Critical |
| Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request parameters allows crafted input to reach command execution paths, enabling attackers to execute arbitrary commands on the underlying host in the context of the web/Nagios service. | ||||
| CVE-2024-14004 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 8.8 High |
| Nagios XI versions prior to 2024R1.2 contain a privilege escalation vulnerability related to NagVis configuration handling (nagvis.conf). An authenticated user could manipulate NagVis configuration data or leverage insufficiently validated configuration settings to obtain elevated privileges on the Nagios XI system. | ||||
| CVE-2013-10072 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 6.5 Medium |
| Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionality. Users with read-only roles could directly reach Auto-Discovery endpoints and pages that should require elevated permissions, exposing discovery results and allowing unintended access to discovery operations. | ||||
| CVE-2013-10071 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 6.1 Medium |
| Nagios XI versions prior to 2012R1.6 contain a reflected cross-site scripting (XSS) vulnerability in the dashboard dashlet AJAX load functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2012-10063 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 9.8 Critical |
| Nagios XI versions prior to 2012R1.3 contain a SQL injection vulnerability in the legacy Core Configuration Manager (CCM) interface. Authenticated users could manipulate SQL queries by supplying crafted input to specific CCM parameters, potentially allowing access to configuration data stored in the application database. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly. | ||||
| CVE-2011-10040 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the link-handling functions used by status and report pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2011-10039 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the Alert Heatmap report and the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2011-10038 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2011-10036 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of the "backend_url" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2011-10035 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 7.0 High |
| Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts that install or update system crontab entries. Due to time-of-check/time-of-use race conditions and missing synchronization or final-path validation, a local low-privileged user could manipulate filesystem state during crontab installation to influence the files or commands executed with elevated privileges, resulting in execution with higher privileges. | ||||
| CVE-2025-60424 | 1 Nagios | 1 Fusion | 2025-11-05 | 7.6 High |
| A lack of rate limiting in the OTP verification component of Nagios Fusion v2024R1.2 and v2024R2 allows attackers to bypass authentication via a bruteforce attack. | ||||
| CVE-2025-60425 | 1 Nagios | 1 Fusion | 2025-11-05 | 8.6 High |
| Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack. | ||||
| CVE-2016-15049 | 1 Nagios | 1 Log Server | 2025-11-05 | 5.4 Medium |
| Nagios Log Server versions prior to 1.4.2 are vulnerable to cross-site scripting (XSS) in the Dashboards section when rendering log entries in the Logs table. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victim’s browser within the application origin. | ||||
| CVE-2016-15050 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-05 | 8.8 High |
| Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search functionality. User-supplied search parameters were incorporated into SQL statements without adequate parameterization or sanitation, allowing an authenticated user to manipulate database queries. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly. | ||||
| CVE-2016-15051 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-05 | 5.4 Medium |
| Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2016-15052 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-05 | 5.4 Medium |
| Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Menu System of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2016-15053 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-05 | 5.4 Medium |
| Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||