CVE-2013-10073

CVE-2013-10073 is a shell command injection vulnerability (CWE-78) affecting Nagios XI versions prior to 2012R1.6, specifically in the Auto-Discovery tool. The flaw arises because user-controlled input is passed directly to a shell without adequate sanitization or argument quoting, enabling command execution. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

An authenticated attacker with access to the discovery functionality can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows execution of arbitrary commands with the privileges of the Nagios XI application service, potentially leading to full system compromise depending on the service's permissions.

Mitigation details are available in the Nagios XI changelog at https://www.nagios.com/changelog/nagios-xi/ and the Vulncheck advisory at https://www.vulncheck.com/advisories/nagios-xi-auto-discovery-shell-command-injection, which cover patches and remediation steps; affected users should upgrade to Nagios XI 2012R1.6 or later.