CVE-2024-13986

Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
VulnCheckCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Common Weakness Enumeration
References
https://theyhack.me/Nagios-XI-Authenticated-RCE
https://www.nagios.com/changelog/
https://www.nagios.com/products/security/
https://theyhack.me/Nagios-XI-Authenticated-RCE/