Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Nagios XI < 5.2.8 Multiple Vulnerabilities

High

Synopsis

A vulnerable version of Nagios XI has been detected.

Description

Versions of Nagios XI prior to 5.2.8 are affected by multiple vulnerabilities:

- A flaw exists that may allow carrying out an SQL injection attack. The issue is due to the 'nagiosim.php' script not properly sanitizing user-supplied input to the 'host' and 'service' parameters. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. (OSVDB 139377) - A flaw exists that is triggered as input passed via the 'title' parameter to the 'nagiosim.php' script is not properly sanitized. This may potentially allow an authenticated remote attacker to execute arbitrary commands. (OSVDB 139378) - A flaw exists that is triggered as input passed via the 'start' and 'end' parameters to the 'graphApi.php' script is not properly sanitized. This may potentially allow an authenticated remote attacker to execute arbitrary commands. (OSVDB 139379) - A flaw exists in the 'getprofile.sh' script that is triggered as it does not properly restrict the upload of components. This may potentially allow an authenticated remote attacker to upload components, and use them to gain elevated privileges. (OSVDB 139380) - A flaw exists that is due to an insecure implementation of the password reset mechanism. The program does not verify that the reset token is used for the account for which it was generated, which may allow a remote attacker to reset the passwords of arbitrary users. (OSVDB 139383)

Solution

Upgrade to Nagios XI version 5.2.8 or later.