Full Disclosure mailing list archives
Nagios XI 5.5.10: XSS to root RCE (CVE-2019-9164, 9165, 9166, 9167, 9202, 9203, 9204)
From: Abdel Adim `smaury` Oisfi <smaury () shielder it>
Date: Wed, 10 Apr 2019 16:06:30 +0200
Description ========== Various vulnerabilities have been found in Nagios XI 5.5.10, which allow a remote attacker able to trick an authenticated victim (with “autodiscovery job” creation privileges) to visit a malicious URL to obtain a remote root shell via a reflected Cross-Site Scripting (XSS), an authenticated Remote Code Execution (RCE) and a Local Privilege Escalation (LPE). Update to Nagios XI 5.5.11 which includes all the fixes. Full write-up here: https://www.shielder.it/blog/nagios-xi-5-5-10-xss-to-root-rce/ -- Abdel Adim `smaury` Oisfi Co-CEO @ Shielder Srl smaury () shielder it (+39) 393 - 16 66 814 https://keybase.io/smaury/key.asc
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Nagios XI 5.5.10: XSS to root RCE (CVE-2019-9164, 9165, 9166, 9167, 9202, 9203, 9204) Abdel Adim `smaury` Oisfi (Apr 13)