Published: 26/10/2021 Updated: 08/11/2022

CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8

CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2

VMScore: 801

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

An issue exists in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an malicious user to execute system commands.

Vulnerable Product	Search on Vulmon	Subscribe to Product
nagios nagios xi 5.8.5

RFI to RCE Nagios/NagiosXI exploitation

NagiosXI RCE File-Upload CVE-2021-40345 Authentified RFI to RCE Nagios/NagiosXI exploitation Step 1 : Go on the "dashlets" managing page and download one of them (I'm using "rss_dashlet" for the exemple) : TARGET_IP/nagiosxi/admin/dashletsphp?download=rss_dashlet Step 2 : Modify the *incphp (I'm gon

CWE-77 https://www.synacktiv.com/sites/default/files/2021-10/Nagios_XI_multiple_vulnerabilities_0.pdf https://synacktiv.com https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT https://github.com/ArianeBlow/NagiosXI-EmersonFI/blob/main/README.md https://nvd.nist.gov https://github.com/ArianeBlow/NagiosXI-RCE-all-version-CVE-2021-40345

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2021-40345

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect