Description ========== Various vulnerabilities have been found in Nagios XI 5.5.10, which allow a remote attacker able to trick an authenticated victim (with “autodiscovery job” creation privileges) to visit a malicious URL to obtain a remote root shell via a reflected Cross-Site Scripting (XSS), an authenticated Remote Code Execution (RCE) and a Local Privilege Escalation (LPE).
Update to Nagios XI 5.5.11 which includes all the fixes. Full write-up here: https://www.shielder.it/blog/nagios-xi-5-5-10-xss-to-root-rce/ -- Abdel Adim `smaury` Oisfi Co-CEO @ Shielder Srl [email protected] (+39) 393 - 16 66 814 https://keybase.io/smaury/key.asc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
