← Voltar para CVEs
CVE-2020-36863
HIGH8.8
Descricao
Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the web server permitted execution within the upload directory. An authenticated attacker with access to the audio import feature could upload a crafted PHP file and then request it to achieve remote code execution with the privileges of the application service.
Detalhes CVE
Pontuacao CVSS v3.18.8
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado10/30/2025
Ultima modificacao11/5/2025
Fontenvd
Avistamentos honeypot0
Produtos afetados
nagios:nagios_xi
Fraquezas (CWE)
CWE-434
Referencias
https://www.nagios.com/changelog/nagios-xi/(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/nagios-xi-unrestricted-file-upload-via-audio-import-directory(disclosure@vulncheck.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.