daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enhancement: cves/2021/CVE-2021-25297.yaml by md

patch-1
MostInterestingBotInTheWorld 2023-03-21 15:51:06 -04:00
parent 09986f5635
commit 168133e491
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cves/2021/CVE-2021-25297.yaml
View File

@ -5,12 +5,12 @@ info:
author: k0pak4
severity: high
description: |
Nagios XI versions 5.5.6 to 5.7.5 are affected by OS command injection. An authenticated user can gain code execution due to unsanitized URL parameters.
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
- https://github.com/rapid7/metasploit-framework/pull/17494
- https://nvd.nist.gov/vuln/detail/CVE-2021-25297
- http://nagios.com
- https://nvd.nist.gov/vuln/detail/CVE-2021-25297
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8