Nagios XI Core Config Manager SQL Injection Vulnerability
Vulnerability
A SQL injection vulnerability has been identified in the Core Config Manager (CCM) of Nagios XI, affecting versions prior to CCM 3.0.7 and Nagios XI 5.7.4. The vulnerability arises from unsanitized user input being incorporated into SQL queries on the object edit pages. This flaw allows authenticated users to inject SQL fragments, potentially leading to unauthorized disclosure or modification of configuration and application data. In some environments, this could further compromise the application or backend database.
Impact
Exploitation of this vulnerability allows for SQL injection, which could lead to unauthorized access or modification of database information, including application and configuration data. Such access could potentially be used to compromise the application further or manipulate backend database information maliciously.
Reproduction
To reproduce this vulnerability, an authenticated user can navigate to the object edit pages within the Core Config Manager of Nagios XI versions prior to 5.7.4. Once there, the user can inject SQL fragments through unsanitized input fields, which will be processed by the application's SQL query handling.
Remediation
Users can upgrade to Nagios XI 5.7.4 or later, or to Nagios XI versions 2024R2.2.1, 2024R2.2, 2024R2.1, 2024R2, 2024R1.4.4, 2024R1.4.3, 2024R1.4, 2024R1.3.4, 2024R1.3.3, 2024R1.3.2, 2024R1.3.1, 2024R1.3, 2024R1.2, 2024R1.1, 2024R1, 5.11.3, 5.11.2, 5.11.1, 5.10.0, 5.9.3, 5.9.2, 5.9.1, 5.8.10, 5.8.9, 5.8.8, 5.8.7, 5.8.6, 5.8.5, 5.8.4, 5.8.3, 5.8.2, 5.8.1, 5.8.0, 5.7.5, 5.7.4, 5.7.3, 5.7.2, 5.7.1, 5.6.14, 5.6.13, 5.6.12, 5.6.11, 5.6.10, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.1, 5.6.0, 5.5.11, 5.5.10, 5.5.9, 5.5.8, 5.5.7, 5.5.6, 5.5.5, 5.5.4, 5.5.3, 5.5.2, 5.5.1, 5.5.0, 5.4.13, 5.4.12, 5.4.11, 5.4.10, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.0, 5.0.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.0.0, 2.0.0, 1.0.0
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.