Nagios XI < 2011R1.9 Multiple Vulnerabilities

NASLDB: Nagios XI < 2011R1.9 Multiple Vulnerabilities

General

ID: 61429
Name: Nagios XI < 2011R1.9 Multiple Vulnerabilities

Summary: Checks the version of Nagios XI

Credits: Tenable Network Security, Inc.

Classification

Risk: –

CVSS: –
CVSS Base Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Port: 80
Family: CGI abuses
Type: Remote

Description

The version of Nagios XI hosted on the remote web server is affected
by multiple vulnerabilities :

– A privilege escalation vulnerability exists in the
method used to install RPMs.

– A privilege escalation vulnerability exists in the
method used to edit crontab files.

– Multiple reflective cross-site scripting vulnerabilities
exist due to the failure to sanitize the query strings
of GET requests.

– A stored cross-site scripting vulnerability exists in
the ‘reports/myreports.php’ script due to the failure to
sanitize the report name.

An attacker can leverage the cross-site scripting issues by enticing a
user to follow a malicious URL, causing attacker-specified script code
to run inside the user’s browser in the context of the affected site.
Information harvested this way may aid in launching further attacks.