Nagios XI SQL Injection Vulnerability in SNMP Trap Interface

A post-authentication SQL injection vulnerability has been identified in Nagios XI versions prior to 5.6.14, specifically within the SNMP Trap Interface page. This vulnerability allows users with administrative privileges to inject crafted SQL commands that are not properly sanitized. The exploitation of this vulnerability could lead to unauthorized disclosure or modification of application data, or allow execution of arbitrary SQL commands against the backend database.

Impact

Exploitation of this vulnerability allows for SQL injection, which could result in unauthorized data access or modification, and potentially lead to other attacks such as SQL injection-based privilege escalation or code execution.

Reproduction

To reproduce this vulnerability, log into Nagios XI with an administrative account. Navigate to the SNMP Trap Interface page. Once there, input crafted data that exploits the SQL injection vulnerability. This could involve entering SQL commands or payloads that manipulate the SQL query execution. After submitting the input, observe the application's response for signs of SQL injection exploitation, such as error messages indicating SQL syntax issues or unexpected data being displayed.

Remediation

Users can upgrade to Nagios XI version 5.6.14 or later, where this vulnerability has been fixed.