CVE-2019-20197

HIGH

Nagios XI - OS Command Injection

Title source: rule

Description

In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.

Exploits (2)

nomisec WORKING POC 23 stars

by jas502n · poc

https://github.com/jas502n/CVE-2019-20197

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by lp008 · poc

https://github.com/lp008/CVE-2019-20197

View Code ZIP pw:eip

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://code610.blogspot.com/2019/12/postauth-rce-in-latest-nagiosxi.html

Scores

CVSS v3 8.8

EPSS 0.3602

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

nagios/nagios_xi 5.6.9

Published Dec 31, 2019

Tracked Since Feb 18, 2026