CVE-2021-37223
MEDIUMNagios XI <= 5.8.4 - Authenticated Server-Side Request Forgery via schedulereport.php
Title source: llmDescription
Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resources or disclose local system files.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.nagios.com/downloads/nagios-xi/change-log/
Vendor Advisory x_refsource_misc
http://nagios.com
Scores
CVSS v3
6.5
EPSS
0.0065
EPSS Percentile
71.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-918
Status
published
Products (1)
nagios/nagios_xi
< 5.8.4
Published
Oct 05, 2021
Tracked Since
Feb 18, 2026