Tactifail

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to 5.7.2 **Description** Nagios XI versions prior to 5.7.2 permit the upload and execution of PHP files within the Audio Import directory. The upload process does not adequately restrict file types or ensure storage outside the webroot, and the web server allows execution within the upload directory. An authenticated attacker with access to the audio import feature can upload a malicious PHP file and then request it, leading to remote code execution with the privileges of the application service. **Recommendations** Update to version 5.7.2 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to 5.7.2 **Description** Nagios XI versions prior to 5.7.2 are susceptible to cross-site scripting (XSS) through the background color settings within Dashboards. This is due to inadequate validation or escaping of user-provided input, potentially enabling an attacker to inject and execute arbitrary script within a victim’s browser. **Recommendations** Update to version 5.7.2 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to 5.7.2 **Description** Nagios XI versions prior to 5.7.2 are susceptible to cross-site scripting (XSS) through the Business Process Intelligence (BPI) component’s Config Management and Edit Config page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. **Recommendations** Update to version 5.7.2 or later.