5.1
CVE-2011-10036 - Nagios XI < 2011R1.9 XSS via backend_url JavaScript Link Handler
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of the "backend_url" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
5.1
CVE-2011-10039 - Nagios XI < 2011R1.9 XSS via Alert Heatmap Report & “My Reports” Listing
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the Alert Heatmap report and the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of…
5.1
CVE-2021-47699 - Nagios XI < 5.8.7 XSS in Audit Log via Send to NLS Form
Nagios XI versions prior to 5.8.7 are vulnerable to cross-site scripting (XSS) via the Audit Log page’s Send to NLS form. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
5.1
CVE-2023-53688 - Nagios XI < 5.11.3 XSS & CSRF via Hypermap Replay
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that executes in the contex…
9.4
CVE-2023-7317 - Nagios XI < 2024R1 Web SSH Terminal Missing Access Control
Nagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Terminal. A remote, low-privileged attacker could access or interact with the terminal interface without sufficient authorization, potentially allowing unauthorized command execution or disclosure of s…
8.7
CVE-2020-36863 - Nagios XI < 5.7.2 Unrestricted File Upload via Audio Import Directory
Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the web server permitted execution within the upload directory. An a…
6.9
CVE-2020-36862 - Nagios XI < 5.6.11 Unauthenticated XSS and SSRF via Highcharts
Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local exporting tool. Crafted export requests could (1) inject script into exported/returned content due to insufficient output encoding (XSS), and (2) cause the server to fetch attacker-specified URLs (SSR…
5.1
CVE-2022-50587 - Nagios XI < 5.8.9 Stored XSS via Command Names in Apply Config Error Text
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) via the Apply Configuration error text. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
5.1
CVE-2022-50586 - Nagios XI < 5.8.9 Stored XSS via BPI Info URL
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the BPI component via the info URL field. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
5.1
CVE-2022-50588 - Nagios XI < 5.8.9 Stored XSS in Update Checking
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the update checking feature. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.