← Volver a CVEs
CVE-2020-36863
HIGH8.8
Descripcion
Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the web server permitted execution within the upload directory. An authenticated attacker with access to the audio import feature could upload a crafted PHP file and then request it to achieve remote code execution with the privileges of the application service.
Detalles CVE
Puntuacion CVSS v3.18.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado10/30/2025
Ultima modificacion11/5/2025
Fuentenvd
Avistamientos honeypot0
Productos afectados
nagios:nagios_xi
Debilidades (CWE)
CWE-434
Referencias
https://www.nagios.com/changelog/nagios-xi/(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/nagios-xi-unrestricted-file-upload-via-audio-import-directory(disclosure@vulncheck.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.