Nagios XI < 2012R2.4 SQL Injection Vulnerability

high Nessus Network Monitor Plugin ID 8369

Synopsis

A vulnerable version of Nagios XI has been detected.

Description

Versions of Nagios XI prior to 2012R2.4 are affected by an SQL injection vulnerability in the Nagios Core Configuration Manager. The Nagios Core Configuration Manager is a web-based configuration tool for Nagios XI and is based on the NagiosQL configuration tool. The vulnerability exists in the 'functions/prepend_adm.php' script, which fails to properly sanitize user-supplied input to the 'tfPassword' parameter before using it in database queries. An attacker could execute arbitrary SQL commands leading to manipulation or disclosure of arbitrary data.

Solution

Upgrade to Nagios XI 2012R2.4 or later.

See Also

http://assets.nagios.com/downloads/nagiosxi/CHANGES-2012.TXT

Plugin Details

Severity: High

ID: 8369

Family: CGI

Published: 8/26/2014

Updated: 3/6/2019

Nessus ID: 71636

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:nagios:nagios_xi

Patch Publication Date: 9/24/2013

Vulnerability Publication Date: 11/13/2013

Reference Information

CVE: CVE-2013-6875

BID: 63754