Nagios Xi vulnerabilities
59 known vulnerabilities affecting nagios/xi.
Total CVEs
59
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH17MEDIUM40
Vulnerabilities
Page 2 of 3
CVE-2020-36862P4MEDIUMCVSS 6.1fixed in 5.6.112025-10-30
CVE-2020-36862 [MEDIUM] CWE-79 CVE-2020-36862: Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local e
Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local exporting tool. Crafted export requests could (1) inject script into exported/returned content due to insufficient output encoding (XSS), and (2) cause the server to fetch attacker-specified URLs (SSRF), potentially accessing internal network resources.
nvd
CVE-2024-13993P4MEDIUMCVSS 6.1fixed in 2024R1.1.22025-10-30
CVE-2024-13993 [MEDIUM] CWE-79 CVE-2024-13993: Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) vi
Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript
nvd
CVE-2013-10071P4MEDIUMCVSS 6.1fixed in 2012R1.62025-10-30
CVE-2013-10071 [MEDIUM] CWE-79 CVE-2013-10071: Nagios XI versions prior to 2012R1.6 contain a reflected cross-site scripting (XSS) vulnerability in
Nagios XI versions prior to 2012R1.6 contain a reflected cross-site scripting (XSS) vulnerability in the dashboard dashlet AJAX load functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2021-47694P4MEDIUMCVSS 6.1fixed in 5.8.62025-10-30
CVE-2021-47694 [MEDIUM] CWE-79 CVE-2021-47694: The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.4 / Nagios XI 5.8.6 contains a
The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.4 / Nagios XI 5.8.6 contains a reflected cross-site scripting (XSS) vulnerability via the Test Command functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2011-10037P4MEDIUMCVSS 5.4fixed in 2011R1.92025-10-30
CVE-2011-10037 [MEDIUM] CWE-79 CVE-2011-10037: Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling o
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of xiwindow variables used to build permalinks in the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2024-13992P4MEDIUMCVSS 5.4fixed in 2024R1.12025-10-31
CVE-2024-13992 [MEDIUM] CWE-79 CVE-2024-13992: Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user vis
Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied input, allowing an attacker to craft a malicious link that, when visited by a
nvd
CVE-2023-7316P4MEDIUMCVSS 5.4fixed in 2024R12025-10-30
CVE-2023-7316 [MEDIUM] CWE-79 CVE-2023-7316: Nagios XI versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Graph Explor
Nagios XI versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2023-7315P4MEDIUMCVSS 5.4fixed in 5.11.32025-10-30
CVE-2023-7315 [MEDIUM] CWE-79 CVE-2023-7315: Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Graph Explor
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2023-7314P4MEDIUMCVSS 5.4fixed in 5.11.32025-10-30
CVE-2023-7314 [MEDIUM] CWE-79 CVE-2023-7314: Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bandwidth Re
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bandwidth Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2022-50587P4MEDIUMCVSS 5.4fixed in 5.8.92025-10-30
CVE-2022-50587 [MEDIUM] CWE-79 CVE-2022-50587: Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) via the Apply Configu
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) via the Apply Configuration error text. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2022-50586P4MEDIUMCVSS 5.4fixed in 5.8.92025-10-30
CVE-2022-50586 [MEDIUM] CWE-79 CVE-2022-50586: Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the BPI component
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the BPI component via the info URL field. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2020-36865P4MEDIUMCVSS 5.4fixed in 5.7.22025-10-30
CVE-2020-36865 [MEDIUM] CWE-79 CVE-2020-36865: Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the BPI (Business
Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the BPI (Business Process Intelligence) component’s Config Management and Edit Config page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2023-7318P4MEDIUMCVSS 5.4fixed in 2024R1.0.22025-10-30
CVE-2023-7318 [MEDIUM] CWE-79 CVE-2023-7318: Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios
Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2023-7313P4MEDIUMCVSS 5.4fixed in 5.11.32025-10-30
CVE-2023-7313 [MEDIUM] CWE-79 CVE-2023-7313: Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bulk Modific
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bulk Modifications tool. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2011-10038P4MEDIUMCVSS 5.4fixed in 2011R1.92025-10-30
CVE-2011-10038 [MEDIUM] CWE-79 CVE-2011-10038: Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2016-15053P4MEDIUMCVSS 5.4fixed in 5.2.42025-10-30
CVE-2016-15053 [MEDIUM] CWE-79 CVE-2016-15053: Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports”
Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2016-15052P4MEDIUMCVSS 5.4fixed in 5.2.42025-10-30
CVE-2016-15052 [MEDIUM] CWE-79 CVE-2016-15052: Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Menu System o
Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Menu System of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2021-47691P4MEDIUMCVSS 5.4fixed in 5.8.22025-10-30
CVE-2021-47691 [MEDIUM] CWE-79 CVE-2021-47691: The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.1 / Nagios XI 5.8.2 contains mu
The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.1 / Nagios XI 5.8.2 contains multiple cross-site scripting (XSS) vulnerabilities via the Services page affecting the config_name and service_description fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in
nvd
CVE-2021-47696P4MEDIUMCVSS 5.4fixed in 5.8.02025-10-30
CVE-2021-47696 [MEDIUM] CWE-79 CVE-2021-47696: Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via BPI config ID han
Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via BPI config ID handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2020-36864P4MEDIUMCVSS 5.4fixed in 5.7.22025-10-30
CVE-2020-36864 [MEDIUM] CWE-79 CVE-2020-36864: Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the background co
Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the background color settings in Dashboards. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd