CVE-2021-40344
Last modified
CVE-2021-40344 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. EPSS estimates a 66.19% chance of exploitation in the next 30 days.
Description
An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Nagios | Nagios Xi | 5.8.5 |
References
- https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXTRelease Notes, Vendor Advisory
- https://synacktiv.comNot Applicable
- https://www.synacktiv.com/sites/default/files/2021-10/Nagios_XI_multiple_vulnerabilities_0.pdfExploit, Third Party Advisory
- https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXTRelease Notes, Vendor Advisory
- https://synacktiv.comNot Applicable
- https://www.synacktiv.com/sites/default/files/2021-10/Nagios_XI_multiple_vulnerabilities_0.pdfExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-40344?
How severe is CVE-2021-40344?
How do I fix CVE-2021-40344?
Are you affected by CVE-2021-40344?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST