CVE-2021-40344

high-risk
Published 2021-10-26

An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.

Do I need to act?

!
67.2% chance of exploitation in next 30 days
EPSS score — higher than 33% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Nagios

References (6)

Release Notes https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT
Not Applicable https://synacktiv.com
Exploit https://www.synacktiv.com/sites/default/files/2021-10/Nagios_XI_multiple_vulnera...
Release Notes https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT
Not Applicable https://synacktiv.com
Exploit https://www.synacktiv.com/sites/default/files/2021-10/Nagios_XI_multiple_vulnera...
50
/ 100
high-risk
Severity 26/34 · High
Exploitability 19/34 · Moderate
Exposure 5/34 · Minimal