Nagios XI Core Config Manager SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Core Config Manager (CCM) of Nagios XI, specifically in versions prior to Nagios XI 5.8.5 and CCM 3.1.3. The vulnerability arises from improper escaping of user-supplied input in the search text, which is incorporated into SQL queries for configuration object editors. This flaw allows authenticated users to inject SQL fragments, potentially leading to unauthorized access or modification of configuration and application data. In some environments, this could further compromise the application or backend database.

Impact

Exploitation of this vulnerability allows for SQL injection, which could lead to unauthorized disclosure or modification of data within the application or database.

Reproduction

To reproduce this vulnerability, an authenticated user can access the Core Config Manager (CCM) and use the search functionality. The search input is not properly sanitized, allowing for the injection of SQL fragments. This can be done by entering crafted input that exploits the SQL query handling in the search feature.

Remediation

Users can upgrade to Nagios XI 5.8.5 or later, or to CCM version 3.1.3 or later, where this vulnerability has been addressed.