Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service via a long string in the last key value in the variable list to the process_cgivars function in avail.c, cmd.c, config.c, extinfo.c, histogram.c, notifications.c, outages.c, status.c, statusmap.c, summary.c, and trends.c in cgi/, which triggers a heap-based buffer over-read.Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service via a long message to cmd.cgi.Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers.A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration could use this flaw to elevate their privileges to root.Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read.rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache.The _httpsrequest function in Snoopy 1.2.3 and earlier, as used in ampache, libphp-snoopy, mahara, mediamate, opendb, pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs.