Nagios XI < 2024R1.2.2 Multiple Vulnerabilities

medium Nessus Plugin ID 216939

Synopsis

The remote host has a web application affected by multiple vulnerabilities.

Description

According to the self-reported version of Nagios XI, the remote host is affected by multiple vulnerabilities, including the following:

- Nagios XI 2024R1.2.2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack through the Favorites component, enabling POST-based Cross-Site Scripting (XSS). An attacker can exploit this by tricking authenticated users into executing malicious actions, such as injecting scripts, which may compromise user sessions or lead to unauthorized actions within the application. (CVE-2024-549)

- Nagios XI 2024R1.2.2 is affected by a SQL Injection vulnerability in the History Tab component. A remote attacker can exploit this flaw by submitting a crafted payload, allowing unauthorized access to the underlying database. This could result in data exposure, modification, or complete compromise of the application. (CVE-2024-54960)

- Nagios XI 2024R1.2.2 exposes a vulnerability that allows unauthenticated users to access multiple pages displaying the usernames and email addresses of all current users. This information disclosure flaw can aid attackers in reconnaissance activities, potentially leading to phishing attacks or further exploitation. (CVE-2024-54961)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Nagios XI 2024R1.2.2 or later.

Plugin Details

Severity: Medium

ID: 216939

File Name: nagiosxi_2024r1-2-2.nasl

Version: 1.1

Type: combined

Agent: unix

Family: CGI abuses

Published: 2/28/2025

Updated: 2/28/2025

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2024-54958

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS Score Source: CVE-2024-54958

Vulnerability Information

CPE: cpe:/a:nagios:nagios_xi

Patch Publication Date: 2/20/2025

Vulnerability Publication Date: 2/20/2025

Reference Information

CVE: CVE-2024-54958, CVE-2024-54959, CVE-2024-54960, CVE-2024-54961

IAVB: 2024-B-0031

Detections

Analytics