Nagios XI SQL Injection Vulnerability in Notification Search

A SQL injection vulnerability has been identified in Nagios XI versions prior to 5.2.4. This vulnerability resides in the notification search feature, where user-provided search parameters were directly included in SQL queries without proper sanitization or parameterization. As a result, an authenticated user could manipulate database queries, potentially leading to unauthorized disclosure or modification of notification data. In some cases, this exploitation could have broader implications for the application's database.

Impact

Exploitation of this vulnerability allows for SQL injection, which could be used to manipulate database queries and potentially access or modify sensitive data.

Reproduction

To reproduce this vulnerability, an authenticated user can enter crafted search parameters into the notification search feature. The lack of proper input validation will allow these parameters to be executed as part of the SQL query, leading to unauthorized data access or manipulation.

Remediation

Users can upgrade to Nagios XI version 5.2.4 or later, where this vulnerability has been fixed.