Nagios XI SQL Injection Vulnerability in SNMP Trap Interface Edit Page

A SQL injection vulnerability has been identified in Nagios XI versions prior to 5.7.5. The issue resides in the SNMP Trap Interface edit page, where user input is not properly sanitized, allowing for the injection of malicious SQL commands. Exploitation of this vulnerability requires administrative privileges to access the affected interface. Successfully exploiting this vulnerability could lead to unauthorized disclosure or modification of application data, or execution of arbitrary SQL commands on the backend database.

Impact

Exploitation of this vulnerability allows for SQL injection, which could result in unauthorized data access or modification, and execution of arbitrary SQL commands on the database.

Reproduction

To reproduce this vulnerability, log into Nagios XI with an administrative account. Navigate to the SNMP Trap Interface edit page. Once there, input crafted data that exploits the SQL injection vulnerability by injecting malicious SQL commands into a field that does not properly sanitize user input. After submitting the form, the injected SQL commands could be executed against the backend database, demonstrating the SQL injection vulnerability.

Remediation

Users can upgrade to Nagios XI version 5.7.5 or later, where this vulnerability has been fixed.