Nagios Fusion
19 CVEs affecting Nagios Fusion. Latest disclosed: 2025-10-30. Critical: 6, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2020-28908 | Critical | 9.8 | 2021-05-24 | Command Injection in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to nagios. |
CVE-2020-28907 | Critical | 9.8 | 2021-05-24 | Incorrect SSL certificate validation in Nagios Fusion 4.1.8 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to do… |
CVE-2020-28904 | Critical | 9.8 | 2021-05-24 | Execution with Unnecessary Privileges in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation as nagios via installation of a malicious component co… |
CVE-2020-28902 | Critical | 9.8 | 2021-05-24 | Command Injection in Nagios Fusion 4.1.8 and earlier allows Privilege Escalation from apache to root in cmd_subsys.php. |
CVE-2020-28901 | Critical | 9.8 | 2021-05-24 | Command Injection in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation or Code Execution as root via vectors related to corrupt component install… |
CVE-2020-28900 | Critical | 9.8 | 2021-05-24 | Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code E… |
CVE-2020-28909 | High | 8.8 | 2021-05-24 | Incorrect File Permissions in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root via modification of scripts. Low-privileges users are abl… |
CVE-2020-28906 | High | 8.8 | 2021-05-24 | Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root. Low-privileged users are… |
CVE-2020-28905 | High | 8.8 | 2021-05-24 | Improper Input Validation in Nagios Fusion 4.1.8 and earlier allows an authenticated attacker to execute remote code via table pagination. |
CVE-2025-60425 | High | 8.6 | 2025-10-27 | Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attac… |
CVE-2025-60424 | High | 7.6 | 2025-10-27 | A lack of rate limiting in the OTP verification component of Nagios Fusion v2024R1.2 and v2024R2 allows attackers to bypass authentication via a bruteforce att… |
CVE-2020-28911 | Medium | 6.5 | 2021-05-24 | Incorrect Access Control in Nagios Fusion 4.1.8 and earlier allows low-privileged authenticated users to extract passwords used to manage fused servers via the… |
CVE-2018-25119 | Medium | 6.1 | 2025-10-30 | Nagios Fusion versions prior to 4.1.5 are vulnerable to cross-site scripting (XSS) via the "fusionwindow" parameter. Insufficient validation or escaping of use… |
CVE-2017-20209 | Medium | 6.1 | 2025-10-30 | Nagios Fusion versions prior to 4.0.1 are vulnerable to cross-site scripting (XSS) via the Users and Servers pages. Insufficient validation or escaping of user… |
CVE-2020-28903 | Medium | 6.1 | 2021-05-24 | Improper input validation in Nagios Fusion 4.1.8 and earlier allows a remote attacker with control over a fused server to inject arbitrary HTML, aka XSS. |
CVE-2018-12501 | Medium | 6.1 | 2018-06-16 | Nagios Fusion before 4.1.4 has XSS, aka TPS#13332-13335. |
CVE-2023-7312 | Medium | 4.8 | 2025-10-30 | Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability when adding or configuring Email Settings. Unsanitized user inp… |
CVE-2023-53690 | Medium | 4.8 | 2025-10-30 | Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability in the LDAP/AD authentication-server configuration. Unsanitized… |
CVE-2023-53689 | Medium | 4.8 | 2025-10-30 | Nagios Fusion versions prior to 4.2.0 contain a reflected cross-site scripting (XSS) vulnerability in the license key configuration flow that can result in exe… |