Privilege escalation in Nagios XI prior to 5.5.11 allows local malicious users to elevate privileges to root via write access to config.inc.php and import_xiconfig.php.
Various vulnerabilities have been found in Nagios XI version 5510, which allow a remote attacker able to trick an authenticated victim (with "autodiscovery job" creation privileges) to visit a malicious URL to obtain a remote root shell via a reflected cross site scripting, an authenticated remote code Execution and a local privilege escalation ...
CVE-2019-9202
Nagios IM 26 remote code execution exploit: CSRF + SQLi + RCE + LPE --> remote root
Description
By chaining a Cross-Site Request Forgery (CSRF) / authorization bypass (CVE-2019-9203) it is possible to exploit a Union-based SQL injection (CVE-2019-9204), a Remote Code Execution (RCE) (CVE-2019-9202) and a Local Privilege Escalation (LPE) (CVE-2019-9166), ob