cbcvebase.

Nagios Xi vulnerabilities

192 known vulnerabilities affecting nagios/nagios_xi.

Total CVEs
192
CISA KEV
4
actively exploited
Public exploits
26
Exploited in wild
6
Severity breakdown
CRITICAL27HIGH71MEDIUM94

Vulnerabilities

Page 7 of 10
CVE-2024-54961P3MEDIUMCVSS 6.5v20242025-02-20
CVE-2024-54961 [MEDIUM] CWE-200 CVE-2024-54961: Nagios XI 2024R1.2.2 has an Information Disclosure vulnerability, which allows unauthenticated users Nagios XI 2024R1.2.2 has an Information Disclosure vulnerability, which allows unauthenticated users to access multiple pages displaying the usernames and email addresses of all current users.
nvd
CVE-2011-10035P3HIGHCVSS 7.0≤ 2009v20112025-10-30
CVE-2011-10035 [HIGH] CWE-367 CVE-2011-10035: Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts tha Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts that install or update system crontab entries. Due to time-of-check/time-of-use race conditions and missing synchronization or final-path validation, a local low-privileged user could manipulate filesystem state during crontab installation to influence the
nvd
CVE-2020-10820P4MEDIUMCVSS 4.8v5.6.112020-03-22
CVE-2020-10820 [MEDIUM] CWE-79 CVE-2020-10820: Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter. Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter.
nvd
CVE-2024-14006P4MEDIUMCVSS 6.1fixed in 2024v20242025-10-30
CVE-2024-14006 [MEDIUM] CWE-346 CVE-2024-14006: Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The applicatio Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The application trusts the user-supplied HTTP Host header when constructing absolute URLs without sufficient validation. An unauthenticated, remote attacker can supply a crafted Host header to poison generated links or responses, which may facilitate phishing of cr
nvd
CVE-2021-37351P4MEDIUMCVSS 5.3fixed in 5.8.52021-08-13
CVE-2021-37351 [MEDIUM] CWE-276 CVE-2021-37351: Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated user Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.
nvd
CVE-2021-37352P4MEDIUMCVSS 6.1fixed in 5.8.52021-08-13
CVE-2021-37352 [MEDIUM] CWE-601 CVE-2021-37352: An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link.
nvd
CVE-2020-36862P4MEDIUMCVSS 6.1fixed in 5.6.112025-10-30
CVE-2020-36862 [MEDIUM] CWE-79 CVE-2020-36862: Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local e Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local exporting tool. Crafted export requests could (1) inject script into exported/returned content due to insufficient output encoding (XSS), and (2) cause the server to fetch attacker-specified URLs (SSRF), potentially accessing internal network resources.
nvd
CVE-2021-33179P4MEDIUMCVSS 6.1fixed in 5.8.4v<5.8.42021-10-14
CVE-2021-33179 [MEDIUM] CWE-79 CVE-2021-33179: The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated refle The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload.
nvd
CVE-2020-5790P4MEDIUMCVSS 6.5v5.7.32020-10-20
CVE-2020-5790 [MEDIUM] CWE-352 CVE-2020-5790: Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive applicat Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
nvd
CVE-2018-15713P4MEDIUMCVSS 5.4v5.5.62018-11-14
CVE-2018-15713 [MEDIUM] CWE-79 CVE-2018-15713: Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the s Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in admin/users.php.
nvd
CVE-2018-15714P4MEDIUMCVSS 6.1v5.5.62018-11-14
CVE-2018-15714 [MEDIUM] CWE-79 CVE-2018-15714: Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters.
nvd
CVE-2024-54957P4MEDIUMCVSS 6.1v20242025-02-27
CVE-2024-54957 [MEDIUM] CWE-601 CVE-2024-54957: Nagios XI 2024R1.2.2 is vulnerable to an open redirect flaw on the Tools page, exploitable by users Nagios XI 2024R1.2.2 is vulnerable to an open redirect flaw on the Tools page, exploitable by users with read-only permissions. This vulnerability allows an attacker to craft a malicious link that redirects users to an arbitrary external URL without their consent.
nvd
CVE-2024-14002P4MEDIUMCVSS 5.5fixed in 2024v20242025-10-30
CVE-2024-14002 [MEDIUM] CWE-98 CVE-2024-14002: Nagios XI versions prior to 2024R1.1.4 contain a local file inclusion (LFI) vulnerability via its Na Nagios XI versions prior to 2024R1.1.4 contain a local file inclusion (LFI) vulnerability via its NagVis integration. An authenticated user can supply crafted path values that cause the server to include local files, potentially exposing sensitive information from the underlying host.
nvd
CVE-2020-23992P4MEDIUMCVSS 6.1v5.7.12023-08-22
CVE-2020-23992 [MEDIUM] CWE-79 CVE-2020-23992: Cross Site Scripting (XSS) in Nagios XI 5.7.1 allows remote attackers to run arbitrary code via retu Cross Site Scripting (XSS) in Nagios XI 5.7.1 allows remote attackers to run arbitrary code via returnUrl parameter in a crafted GET request.
nvd
CVE-2024-13993P4MEDIUMCVSS 6.1fixed in 2024v20242025-10-30
CVE-2024-13993 [MEDIUM] CWE-79 CVE-2024-13993: Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) vi Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript
nvd
CVE-2013-10071P4MEDIUMCVSS 6.1≤ 2011v20122025-10-30
CVE-2013-10071 [MEDIUM] CWE-79 CVE-2013-10071: Nagios XI versions prior to 2012R1.6 contain a reflected cross-site scripting (XSS) vulnerability in Nagios XI versions prior to 2012R1.6 contain a reflected cross-site scripting (XSS) vulnerability in the dashboard dashlet AJAX load functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2021-47694P4MEDIUMCVSS 6.1fixed in 5.8.62025-10-30
CVE-2021-47694 [MEDIUM] CWE-79 CVE-2021-47694: The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.4 / Nagios XI 5.8.6 contains a The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.4 / Nagios XI 5.8.6 contains a reflected cross-site scripting (XSS) vulnerability via the Test Command functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2011-10037P4MEDIUMCVSS 5.4≤ 2009v20112025-10-30
CVE-2011-10037 [MEDIUM] CWE-79 CVE-2011-10037: Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling o Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of xiwindow variables used to build permalinks in the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2024-13992P4MEDIUMCVSS 5.4fixed in 2024v20242025-10-31
CVE-2024-13992 [MEDIUM] CWE-79 CVE-2024-13992: Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user vis Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied input, allowing an attacker to craft a malicious link that, when visited by a
nvd
CVE-2023-7316P4MEDIUMCVSS 5.4fixed in 20242025-10-30
CVE-2023-7316 [MEDIUM] CWE-79 CVE-2023-7316: Nagios XI versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Graph Explor Nagios XI versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
Nagios Xi vulnerabilities | cvebase