Nagios XI Network Monitor Graph Explorer Component Command Injection Vulnerability

A command injection vulnerability has been identified in the Graph Explorer component of Nagios XI Network Monitor, in versions prior to 1.3. This vulnerability allows authenticated users to inject system commands through unsanitized parameters, such as 'host', in 'visApi.php', leading to remote code execution.

Impact

Exploitation of this vulnerability allows for authenticated users to execute arbitrary system commands on the server where Nagios XI is running, potentially leading to unauthorized access or control over the system.

Reproduction

To reproduce this vulnerability, an authenticated user must log into Nagios XI and navigate to the Graph Explorer component. Once there, the user can inject commands into the 'host' parameter of 'visApi.php'. This injection is possible because the parameter does not properly sanitize user input. After injecting a command, the execution of that command on the server can be observed, demonstrating the successful exploitation of the vulnerability.