CVE-2024-13986

Опубликовано: 28 авг. 2025

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.

Ссылки

https://theyhack.me/Nagios-XI-Authenticated-RCE
Exploit
Third Party Advisory
https://www.nagios.com/changelog/nagios-xi/
https://www.nagios.com/products/security/#nagios-xi
https://www.vulncheck.com/advisories/nagios-xi-authenticated-arbitrary-file-upload-path-traversal-rce
https://theyhack.me/Nagios-XI-Authenticated-RCE/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*

Версия до 2024 (исключая)

cpe:2.3:a:nagios:nagios_xi:2024:r1:*:*:*:*:*:*

cpe:2.3:a:nagios:nagios_xi:2024:r1.0.1:*:*:*:*:*:*

cpe:2.3:a:nagios:nagios_xi:2024:r1.1:*:*:*:*:*:*

cpe:2.3:a:nagios:nagios_xi:2024:r1.1.1:*:*:*:*:*:*

cpe:2.3:a:nagios:nagios_xi:2024:r1.1.2:*:*:*:*:*:*

cpe:2.3:a:nagios:nagios_xi:2024:r1.1.3:*:*:*:*:*:*

cpe:2.3:a:nagios:nagios_xi:2024:r1.1.4:*:*:*:*:*:*

cpe:2.3:a:nagios:nagios_xi:2024:r1.1.5:*:*:*:*:*:*

cpe:2.3:a:nagios:nagios_xi:2024:r1.2:*:*:*:*:*:*

cpe:2.3:a:nagios:nagios_xi:2024:r1.2.1:*:*:*:*:*:*

cpe:2.3:a:nagios:nagios_xi:2024:r1.2.2:*:*:*:*:*:*

cpe:2.3:a:nagios:nagios_xi:2024:r1.3:*:*:*:*:*:*

cpe:2.3:a:nagios:nagios_xi:2024:r1.3.1:*:*:*:*:*:*

EPSS

Процентиль: 79%

0.01302

Низкий

8.8 High

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-fr8x-pm73-6f4h