Search

Find a vulnerability

Search criteria

    52 vulnerabilities found for Nagios XI by Nagios

    CERTFR-2025-AVI-0989

    Vulnerability from certfr_avis - Published: 2025-11-12 - Updated: 2025-11-12

    Une vulnérabilité a été découverte dans Nagios XI. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 2026R1.0.1
    References
    Bulletin de sécurité Nagios XI nagios-xi 2025-11-11 vendor-advisory

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 2026R1.0.1",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [],
      "initial_release_date": "2025-11-12T00:00:00",
      "last_revision_date": "2025-11-12T00:00:00",
      "links": [],
      "reference": "CERTFR-2025-AVI-0989",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2025-11-12T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
        }
      ],
      "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Nagios XI. Elle permet \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.",
      "title": "Vuln\u00e9rabilit\u00e9 dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": "2025-11-11",
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI nagios-xi",
          "url": "https://www.nagios.com/changelog/nagios-xi/"
        }
      ]
    }

    CERTFR-2025-AVI-0733

    Vulnerability from certfr_avis - Published: 2025-08-28 - Updated: 2025-08-28

    Une vulnérabilité a été découverte dans Nagios XI. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 2024R2.1
    References
    Bulletin de sécurité Nagios XI changelog 2025-08-27 vendor-advisory

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 2024R2.1",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [],
      "initial_release_date": "2025-08-28T00:00:00",
      "last_revision_date": "2025-08-28T00:00:00",
      "links": [],
      "reference": "CERTFR-2025-AVI-0733",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2025-08-28T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        }
      ],
      "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Nagios XI. Elle permet \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).",
      "title": "Vuln\u00e9rabilit\u00e9 dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": "2025-08-27",
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI changelog",
          "url": "https://www.nagios.com/changelog/"
        }
      ]
    }

    CERTFR-2025-AVI-0182

    Vulnerability from certfr_avis - Published: 2025-03-07 - Updated: 2025-03-07

    Une vulnérabilité a été découverte dans Nagios XI. Elle permet à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 2024R1.4
    References
    Bulletin de sécurité Nagios XI changelog 2025-08-27 vendor-advisory

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 2024R1.4",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [],
      "initial_release_date": "2025-03-07T00:00:00",
      "last_revision_date": "2025-03-07T00:00:00",
      "links": [],
      "reference": "CERTFR-2025-AVI-0182",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2025-03-07T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        }
      ],
      "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Nagios XI. Elle permet \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
      "title": "Vuln\u00e9rabilit\u00e9 dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": "2025-08-27",
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI changelog",
          "url": "https://www.nagios.com/changelog/"
        }
      ]
    }

    CERTFR-2024-AVI-1075

    Vulnerability from certfr_avis - Published: 2024-12-13 - Updated: 2024-12-13

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 2024R1.3.2
    References
    Bulletin de sécurité Nagios XI changelog 2024-12-12 vendor-advisory

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 2024R1.3.2",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [],
      "initial_release_date": "2024-12-13T00:00:00",
      "last_revision_date": "2024-12-13T00:00:00",
      "links": [],
      "reference": "CERTFR-2024-AVI-1075",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2024-12-13T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
        },
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": "2024-12-12",
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI changelog",
          "url": "https://www.nagios.com/changelog/"
        }
      ]
    }

    CERTFR-2024-AVI-0966

    Vulnerability from certfr_avis - Published: 2024-11-13 - Updated: 2024-11-13

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une injection de requêtes illégitimes par rebond (CSRF) et un contournement de la politique de sécurité.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 2024R1.3.1
    References
    Bulletin de sécurité Nagios XI changelog 2024-12-12 vendor-advisory

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 2024R1.3.1",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [],
      "initial_release_date": "2024-11-13T00:00:00",
      "last_revision_date": "2024-11-13T00:00:00",
      "links": [],
      "reference": "CERTFR-2024-AVI-0966",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2024-11-13T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
        },
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        },
        {
          "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF) et un contournement de la politique de s\u00e9curit\u00e9.",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": "2024-12-12",
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI changelog",
          "url": "https://www.nagios.com/changelog/"
        }
      ]
    }

    CERTFR-2024-AVI-0805

    Vulnerability from certfr_avis - Published: 2024-09-25 - Updated: 2024-09-25

    Une vulnérabilité a été découverte dans Nagios XI. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 2024R1.2.2
    References
    Bulletin de sécurité Nagios XI changelog 2024-12-12 vendor-advisory

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 2024R1.2.2",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [],
      "initial_release_date": "2024-09-25T00:00:00",
      "last_revision_date": "2024-09-25T00:00:00",
      "links": [],
      "reference": "CERTFR-2024-AVI-0805",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2024-09-25T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Nagios XI. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
      "title": "Vuln\u00e9rabilit\u00e9 dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": "2024-12-12",
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI changelog",
          "url": "https://www.nagios.com/changelog/"
        }
      ]
    }

    CERTFR-2024-AVI-0675

    Vulnerability from certfr_avis - Published: 2024-08-14 - Updated: 2024-08-14

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Elles permettent à un attaquant de provoquer une élévation de privilèges, un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 2024R1.2
    References
    Bulletin de sécurité Nagios XI changelog 2024-12-12 vendor-advisory

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 2024R1.2",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [],
      "initial_release_date": "2024-08-14T00:00:00",
      "last_revision_date": "2024-08-14T00:00:00",
      "links": [],
      "reference": "CERTFR-2024-AVI-0675",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2024-08-14T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        },
        {
          "description": "\u00c9l\u00e9vation de privil\u00e8ges"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": "2024-12-12",
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI changelog",
          "url": "https://www.nagios.com/changelog/"
        }
      ]
    }

    CERTFR-2024-AVI-0621

    Vulnerability from certfr_avis - Published: 2024-07-24 - Updated: 2024-07-24

    Une vulnérabilité a été découverte dans Nagios XI. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 2024R1.1.5
    References
    Bulletin de sécurité Nagios XI changelog 2024-12-12 vendor-advisory

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 2024R1.1.5",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [],
      "initial_release_date": "2024-07-24T00:00:00",
      "last_revision_date": "2024-07-24T00:00:00",
      "links": [],
      "reference": "CERTFR-2024-AVI-0621",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2024-07-24T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        }
      ],
      "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Nagios XI. Elle permet \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).",
      "title": "Vuln\u00e9rabilit\u00e9 dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": "2024-12-12",
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI changelog",
          "url": "https://www.nagios.com/changelog/"
        }
      ]
    }

    CERTFR-2024-AVI-0448

    Vulnerability from certfr_avis - Published: 2024-05-29 - Updated: 2024-05-29

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS).

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 2024R1.1.3
    References
    Bulletin de sécurité Nagios XI 2024-05-28 vendor-advisory

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 2024R1.1.3",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [],
      "initial_release_date": "2024-05-29T00:00:00",
      "last_revision_date": "2024-05-29T00:00:00",
      "links": [],
      "reference": "CERTFR-2024-AVI-0448",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2024-05-29T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Elles permettent \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": "2024-05-28",
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI",
          "url": "https://www.nagios.com/changelog/"
        }
      ]
    }

    CERTFR-2024-AVI-0342

    Vulnerability from certfr_avis - Published: 2024-04-24 - Updated: 2024-04-24

    De multiples vulnérabilités ont été découvertes dans NagiosXI. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur et une atteinte à l'intégrité des données.

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Nagios Nagios XI NagiosXI versions antérieures à 2024R1.1.2
    References
    Bulletin de sécurité NagiosXI 2024-04-23 vendor-advisory

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "NagiosXI versions ant\u00e9rieures \u00e0 2024R1.1.2",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [],
      "initial_release_date": "2024-04-24T00:00:00",
      "last_revision_date": "2024-04-24T00:00:00",
      "links": [],
      "reference": "CERTFR-2024-AVI-0342",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2024-04-24T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
        },
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans NagiosXI. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans NagiosXI",
      "vendor_advisories": [
        {
          "published_at": "2024-04-23",
          "title": "Bulletin de s\u00e9curit\u00e9 NagiosXI",
          "url": "https://www.nagios.com/changelog/"
        }
      ]
    }

    CERTFR-2024-AVI-0252

    Vulnerability from certfr_avis - Published: 2024-03-27 - Updated: 2024-03-27

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur et une injection de code indirecte à distance (XSS).

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 2024R1.1
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 2024R1.1",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [],
      "initial_release_date": "2024-03-27T00:00:00",
      "last_revision_date": "2024-03-27T00:00:00",
      "links": [],
      "reference": "CERTFR-2024-AVI-0252",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2024-03-27T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur et une injection de code indirecte \u00e0 distance\n(XSS).\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI du 26 mars 2024",
          "url": "https://www.nagios.com/changelog/"
        }
      ]
    }

    CERTFR-2023-AVI-1004

    Vulnerability from certfr_avis - Published: 2023-12-07 - Updated: 2023-12-07

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur et une injection de code indirecte à distance (XSS).

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI sans le correctif de sécurité 2024R1
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI sans le correctif de s\u00e9curit\u00e9 2024R1",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [],
      "initial_release_date": "2023-12-07T00:00:00",
      "last_revision_date": "2023-12-07T00:00:00",
      "links": [],
      "reference": "CERTFR-2023-AVI-1004",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2023-12-07T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur et une injection de code indirecte \u00e0 distance\n(XSS).\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI 2024R1 du 06 d\u00e9cembre 2023",
          "url": "https://www.nagios.com/changelog/"
        }
      ]
    }

    CERTFR-2023-AVI-0900

    Vulnerability from certfr_avis - Published: 2023-11-02 - Updated: 2023-11-02

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une injection de code indirecte à distance (XSS).

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versons antérieures à 5.11.3
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versons ant\u00e9rieures \u00e0 5.11.3",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [],
      "initial_release_date": "2023-11-02T00:00:00",
      "last_revision_date": "2023-11-02T00:00:00",
      "links": [],
      "reference": "CERTFR-2023-AVI-0900",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2023-11-02T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
        },
        {
          "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une injection de code indirecte \u00e0 distance\n(XSS).\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI 5.11.3 du 01 novembre 2023",
          "url": "https://www.nagios.com/change-log/"
        }
      ]
    }

    CERTFR-2023-AVI-0714

    Vulnerability from certfr_avis - Published: 2023-09-06 - Updated: 2023-09-06

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 5.11.2
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 5.11.2",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [],
      "initial_release_date": "2023-09-06T00:00:00",
      "last_revision_date": "2023-09-06T00:00:00",
      "links": [],
      "reference": "CERTFR-2023-AVI-0714",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2023-09-06T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "D\u00e9ni de service \u00e0 distance"
        },
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
        },
        {
          "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        },
        {
          "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI du 05 septembre 2023",
          "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"
        }
      ]
    }

    CERTFR-2023-AVI-0085

    Vulnerability from certfr_avis - Published: 2023-02-02 - Updated: 2023-02-02

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité.

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 5.9.3
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 5.9.3",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [
        {
          "name": "CVE-2023-24036",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-24036"
        },
        {
          "name": "CVE-2023-24035",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-24035"
        },
        {
          "name": "CVE-2023-24037",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-24037"
        }
      ],
      "initial_release_date": "2023-02-02T00:00:00",
      "last_revision_date": "2023-02-02T00:00:00",
      "links": [],
      "reference": "CERTFR-2023-AVI-0085",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2023-02-02T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9.\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI du 01 f\u00e9vrier 2023",
          "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"
        }
      ]
    }

    CERTFR-2022-AVI-754

    Vulnerability from certfr_avis - Published: 2022-08-19 - Updated: 2022-08-19

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 5.9.0
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 5.9.0",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [],
      "initial_release_date": "2022-08-19T00:00:00",
      "last_revision_date": "2022-08-19T00:00:00",
      "links": [],
      "reference": "CERTFR-2022-AVI-754",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2022-08-19T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios du 18 ao\u00fbt 2022",
          "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"
        }
      ]
    }

    CERTFR-2022-AVI-400

    Vulnerability from certfr_avis - Published: 2022-04-29 - Updated: 2022-04-29

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 5.8.9
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 5.8.9",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [
        {
          "name": "CVE-2022-29272",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-29272"
        },
        {
          "name": "CVE-2022-29270",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-29270"
        },
        {
          "name": "CVE-2022-29269",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-29269"
        },
        {
          "name": "CVE-2022-29271",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-29271"
        }
      ],
      "initial_release_date": "2022-04-29T00:00:00",
      "last_revision_date": "2022-04-29T00:00:00",
      "links": [],
      "reference": "CERTFR-2022-AVI-400",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2022-04-29T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
        },
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        },
        {
          "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios  XI",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI du 28 avril 2022",
          "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"
        }
      ]
    }

    CERTFR-2022-AVI-232

    Vulnerability from certfr_avis - Published: 2022-03-10 - Updated: 2022-03-10

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 5.8.8
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 5.8.8",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [],
      "initial_release_date": "2022-03-10T00:00:00",
      "last_revision_date": "2022-03-10T00:00:00",
      "links": [],
      "reference": "CERTFR-2022-AVI-232",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2022-03-10T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Elles\npermettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9\ndes donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI du 08 mars 2022",
          "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"
        }
      ]
    }

    CERTFR-2021-AVI-844

    Vulnerability from certfr_avis - Published: 2021-11-03 - Updated: 2021-11-03

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et une injection de code indirecte à distance (XSS).

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 5.8.7
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 5.8.7",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [],
      "initial_release_date": "2021-11-03T00:00:00",
      "last_revision_date": "2021-11-03T00:00:00",
      "links": [],
      "reference": "CERTFR-2021-AVI-844",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2021-11-03T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9 et une injection de code indirecte \u00e0 distance (XSS).\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI du 02 novembre 2021",
          "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"
        }
      ]
    }

    CERTFR-2021-AVI-674

    Vulnerability from certfr_avis - Published: 2021-09-03 - Updated: 2021-09-03

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire et une injection de code indirecte à distance (XSS).

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 5.8.6
    Nagios Nagios XI Core Config Manager versions antérieures à 3.1.4
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 5.8.6",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        },
        {
          "description": "Core Config Manager versions ant\u00e9rieures \u00e0 3.1.4",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [
        {
          "name": "CVE-2021-38156",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-38156"
        }
      ],
      "initial_release_date": "2021-09-03T00:00:00",
      "last_revision_date": "2021-09-03T00:00:00",
      "links": [],
      "reference": "CERTFR-2021-AVI-674",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2021-09-03T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Ex\u00e9cution de code arbitraire"
        },
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code arbitraire et une\ninjection de code indirecte \u00e0 distance (XSS).\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI du 2 septembre 2021",
          "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"
        }
      ]
    }

    CERTFR-2021-AVI-534

    Vulnerability from certfr_avis - Published: 2021-07-16 - Updated: 2021-07-16

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un contournement de la politique de sécurité.

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 5.8.5
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 5.8.5",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [],
      "initial_release_date": "2021-07-16T00:00:00",
      "last_revision_date": "2021-07-16T00:00:00",
      "links": [],
      "reference": "CERTFR-2021-AVI-534",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2021-07-16T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
        },
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code arbitraire \u00e0 distance et\nun contournement de la politique de s\u00e9curit\u00e9.\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios du 15 juillet 2021",
          "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"
        }
      ]
    }

    CERTFR-2021-AVI-458

    Vulnerability from certfr_avis - Published: 2021-06-11 - Updated: 2021-06-11

    De multiples vulnérabilités ont été découvertes dans Nagios XI. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur et une injection de code indirecte à distance (XSS).

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    Nagios Nagios XI Nagios XI versions antérieures à 5.8.4
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Nagios XI versions ant\u00e9rieures \u00e0 5.8.4",
          "product": {
            "name": "Nagios XI",
            "vendor": {
              "name": "Nagios",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [],
      "initial_release_date": "2021-06-11T00:00:00",
      "last_revision_date": "2021-06-11T00:00:00",
      "links": [],
      "reference": "CERTFR-2021-AVI-458",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2021-06-11T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Nagios XI. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur et une injection de code indirecte \u00e0 distance\n(XSS).\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Nagios XI",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 Nagios XI du 10 juin 2021",
          "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"
        }
      ]
    }

    CVE-2025-34227 (GCVE-0-2025-34227)

    Vulnerability from nvd – Published: 2025-09-25 17:08 – Updated: 2026-05-15 11:15
    VLAI
    Title
    Nagios XI < 2026R1 Configuration Wizard Authenticated Command Injection
    Summary
    Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Nagios Nagios XI Affected: 0 , < 2026R1 (custom)
    Create a notification for this product.
    Credits
    M. Cory Billington of theyhack.me
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-34227",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-26T03:55:17.094928Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:47:56.012Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Configuration Wizard (/config/monitoringwizard.php)"
              ],
              "product": "Nagios XI",
              "vendor": "Nagios",
              "versions": [
                {
                  "lessThan": "2026R1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:nagios:nagios_xi:2026:*:*:*:*:*:*:*",
                      "versionEndExcluding": "r1",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "M. Cory Billington of theyhack.me"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNagios XI \u0026lt; 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Nagios XI \u003c 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-15T11:15:31.803Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.nagios.com/changelog/"
            },
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.nagios.com/products/security/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/nagios-xi-config-wizard-auth-command-injection"
            },
            {
              "tags": [
                "technical-description",
                "exploit"
              ],
              "url": "https://theyhack.me/CVE-2025-34227-Nagios-XI-Wizard-Command-Injection/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Nagios XI \u003c 2026R1 Configuration Wizard Authenticated Command Injection",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2025-34227",
        "datePublished": "2025-09-25T17:08:52.921Z",
        "dateReserved": "2025-04-15T19:15:22.574Z",
        "dateUpdated": "2026-05-15T11:15:31.803Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13986 (GCVE-0-2024-13986)

    Vulnerability from nvd – Published: 2025-08-28 15:49 – Updated: 2026-05-15 11:14
    VLAI
    Title
    Nagios XI < 2024R1.3.2 Authenticated Arbitrary File Upload Path Traversal RCE
    Summary
    Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Nagios Nagios XI Affected: 0 , < 2024R1.3.2 (custom)
    Create a notification for this product.
    Credits
    M. Cory Billington of theyhack.me
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13986",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-29T03:55:26.479920Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:47:52.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://theyhack.me/Nagios-XI-Authenticated-RCE/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "MIB Upload (/admin/mibs.php)",
                "Snapshot Rename (/admin/coreconfigsnapshots.php)"
              ],
              "product": "Nagios XI",
              "vendor": "Nagios",
              "versions": [
                {
                  "lessThan": "2024R1.3.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:*:*:*:*:*:*:*",
                      "versionEndExcluding": "r1.3.2",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "M. Cory Billington of theyhack.me"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Nagios XI \u0026lt; 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user."
                }
              ],
              "value": "Nagios XI \u003c 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-137",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-137 Parameter Injection"
                }
              ]
            },
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-15T11:14:34.659Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "tags": [
                "technical-description",
                "exploit"
              ],
              "url": "https://theyhack.me/Nagios-XI-Authenticated-RCE"
            },
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.nagios.com/changelog/nagios-xi/"
            },
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.nagios.com/products/security/#nagios-xi"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/nagios-xi-authenticated-arbitrary-file-upload-path-traversal-rce"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Nagios XI \u003c 2024R1.3.2 Authenticated Arbitrary File Upload Path Traversal RCE",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2024-13986",
        "datePublished": "2025-08-28T15:49:46.119Z",
        "dateReserved": "2025-08-28T15:35:33.691Z",
        "dateUpdated": "2026-05-15T11:14:34.659Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-33179 (GCVE-0-2021-33179)

    Vulnerability from nvd – Published: 2021-10-14 14:57 – Updated: 2024-08-03 23:42
    VLAI
    Summary
    The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Nagios Nagios XI Affected: <5.8.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T23:42:20.281Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Nagios XI",
              "vendor": "Nagios",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c5.8.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-14T14:57:17.000Z",
            "orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
            "shortName": "SNPS"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "disclosure@synopsys.com",
              "ID": "CVE-2021-33179",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Nagios XI",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c5.8.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Nagios"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi",
                  "refsource": "MISC",
                  "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
        "assignerShortName": "SNPS",
        "cveId": "CVE-2021-33179",
        "datePublished": "2021-10-14T14:57:17.000Z",
        "dateReserved": "2021-05-18T00:00:00.000Z",
        "dateUpdated": "2024-08-03T23:42:20.281Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-33177 (GCVE-0-2021-33177)

    Vulnerability from nvd – Published: 2021-10-14 14:55 – Updated: 2024-08-03 23:42
    VLAI
    Summary
    The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries.
    Severity
    No CVSS data available.
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Nagios Nagios XI Affected: <5.8.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T23:42:20.048Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Nagios XI",
              "vendor": "Nagios",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c5.8.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-14T14:55:39.000Z",
            "orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
            "shortName": "SNPS"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "disclosure@synopsys.com",
              "ID": "CVE-2021-33177",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Nagios XI",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c5.8.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Nagios"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi",
                  "refsource": "MISC",
                  "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
        "assignerShortName": "SNPS",
        "cveId": "CVE-2021-33177",
        "datePublished": "2021-10-14T14:55:39.000Z",
        "dateReserved": "2021-05-18T00:00:00.000Z",
        "dateUpdated": "2024-08-03T23:42:20.048Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-34227 (GCVE-0-2025-34227)

    Vulnerability from cvelistv5 – Published: 2025-09-25 17:08 – Updated: 2026-05-15 11:15
    VLAI
    Title
    Nagios XI < 2026R1 Configuration Wizard Authenticated Command Injection
    Summary
    Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Nagios Nagios XI Affected: 0 , < 2026R1 (custom)
    Create a notification for this product.
    Credits
    M. Cory Billington of theyhack.me
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-34227",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-26T03:55:17.094928Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:47:56.012Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Configuration Wizard (/config/monitoringwizard.php)"
              ],
              "product": "Nagios XI",
              "vendor": "Nagios",
              "versions": [
                {
                  "lessThan": "2026R1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:nagios:nagios_xi:2026:*:*:*:*:*:*:*",
                      "versionEndExcluding": "r1",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "M. Cory Billington of theyhack.me"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNagios XI \u0026lt; 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Nagios XI \u003c 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-15T11:15:31.803Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.nagios.com/changelog/"
            },
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.nagios.com/products/security/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/nagios-xi-config-wizard-auth-command-injection"
            },
            {
              "tags": [
                "technical-description",
                "exploit"
              ],
              "url": "https://theyhack.me/CVE-2025-34227-Nagios-XI-Wizard-Command-Injection/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Nagios XI \u003c 2026R1 Configuration Wizard Authenticated Command Injection",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2025-34227",
        "datePublished": "2025-09-25T17:08:52.921Z",
        "dateReserved": "2025-04-15T19:15:22.574Z",
        "dateUpdated": "2026-05-15T11:15:31.803Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13986 (GCVE-0-2024-13986)

    Vulnerability from cvelistv5 – Published: 2025-08-28 15:49 – Updated: 2026-05-15 11:14
    VLAI
    Title
    Nagios XI < 2024R1.3.2 Authenticated Arbitrary File Upload Path Traversal RCE
    Summary
    Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Nagios Nagios XI Affected: 0 , < 2024R1.3.2 (custom)
    Create a notification for this product.
    Credits
    M. Cory Billington of theyhack.me
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13986",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-29T03:55:26.479920Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:47:52.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://theyhack.me/Nagios-XI-Authenticated-RCE/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "MIB Upload (/admin/mibs.php)",
                "Snapshot Rename (/admin/coreconfigsnapshots.php)"
              ],
              "product": "Nagios XI",
              "vendor": "Nagios",
              "versions": [
                {
                  "lessThan": "2024R1.3.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:*:*:*:*:*:*:*",
                      "versionEndExcluding": "r1.3.2",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "M. Cory Billington of theyhack.me"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Nagios XI \u0026lt; 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user."
                }
              ],
              "value": "Nagios XI \u003c 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-137",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-137 Parameter Injection"
                }
              ]
            },
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-15T11:14:34.659Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "tags": [
                "technical-description",
                "exploit"
              ],
              "url": "https://theyhack.me/Nagios-XI-Authenticated-RCE"
            },
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.nagios.com/changelog/nagios-xi/"
            },
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.nagios.com/products/security/#nagios-xi"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/nagios-xi-authenticated-arbitrary-file-upload-path-traversal-rce"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Nagios XI \u003c 2024R1.3.2 Authenticated Arbitrary File Upload Path Traversal RCE",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2024-13986",
        "datePublished": "2025-08-28T15:49:46.119Z",
        "dateReserved": "2025-08-28T15:35:33.691Z",
        "dateUpdated": "2026-05-15T11:14:34.659Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-33179 (GCVE-0-2021-33179)

    Vulnerability from cvelistv5 – Published: 2021-10-14 14:57 – Updated: 2024-08-03 23:42
    VLAI
    Summary
    The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Nagios Nagios XI Affected: <5.8.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T23:42:20.281Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Nagios XI",
              "vendor": "Nagios",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c5.8.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-14T14:57:17.000Z",
            "orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
            "shortName": "SNPS"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "disclosure@synopsys.com",
              "ID": "CVE-2021-33179",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Nagios XI",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c5.8.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Nagios"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi",
                  "refsource": "MISC",
                  "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
        "assignerShortName": "SNPS",
        "cveId": "CVE-2021-33179",
        "datePublished": "2021-10-14T14:57:17.000Z",
        "dateReserved": "2021-05-18T00:00:00.000Z",
        "dateUpdated": "2024-08-03T23:42:20.281Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-33177 (GCVE-0-2021-33177)

    Vulnerability from cvelistv5 – Published: 2021-10-14 14:55 – Updated: 2024-08-03 23:42
    VLAI
    Summary
    The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries.
    Severity
    No CVSS data available.
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Nagios Nagios XI Affected: <5.8.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T23:42:20.048Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Nagios XI",
              "vendor": "Nagios",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c5.8.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-14T14:55:39.000Z",
            "orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
            "shortName": "SNPS"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "disclosure@synopsys.com",
              "ID": "CVE-2021-33177",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Nagios XI",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c5.8.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Nagios"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi",
                  "refsource": "MISC",
                  "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
        "assignerShortName": "SNPS",
        "cveId": "CVE-2021-33177",
        "datePublished": "2021-10-14T14:55:39.000Z",
        "dateReserved": "2021-05-18T00:00:00.000Z",
        "dateUpdated": "2024-08-03T23:42:20.048Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }