← Retour aux CVEs
CVE-2020-36863
HIGH8.8
Description
Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the web server permitted execution within the upload directory. An authenticated attacker with access to the audio import feature could upload a crafted PHP file and then request it to achieve remote code execution with the privileges of the application service.
Details CVE
Score CVSS v3.18.8
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie10/30/2025
Derniere modification11/5/2025
Sourcenvd
Observations honeypot0
Produits affectes
nagios:nagios_xi
Faiblesses (CWE)
CWE-434
References
https://www.nagios.com/changelog/nagios-xi/(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/nagios-xi-unrestricted-file-upload-via-audio-import-directory(disclosure@vulncheck.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.