CVE-2013-10073

Published: Oct 30, 2025Modified: Nov 6, 2025

8.7

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: disclosure@vulncheck.com (Secondary)

Description

Nagios XI versions prior to 2012R1.6 contain a shell command injection vulnerability in the Auto-Discovery tool. User-controlled input is passed to a shell without adequate sanitation or argument quoting, allowing an authenticated user with access to discovery functionality to execute arbitrary commands with the privileges of the application service.

Affected (7)

Products: Nagios: Nagios Xi

Nagios

1 product

Nagios Xi

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Nagios Nagios Xi	Before 2012
Nagios Nagios Xi	Version 2012 r1.0
Nagios Nagios Xi	Version 2012 r1.1
Nagios Nagios Xi	Version 2012 r1.2
Nagios Nagios Xi	Version 2012 r1.3
Nagios Nagios Xi	Version 2012 r1.4
Nagios Nagios Xi	Version 2012 r1.5

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://www.nagios.com/changelog/nagios-xi/

Source: disclosure@vulncheck.com

Release Notes

https://www.vulncheck.com/advisories/nagios-xi-auto-discovery-shell-command-injection

Source: disclosure@vulncheck.com

Third Party Advisory

Timeline

No history available yet.