Detections
Analytics
Nagios XI < 2012R2.4 SQL Injection Vulnerability
high Nessus Network Monitor Plugin ID 8369
Synopsis
A vulnerable version of Nagios XI has been detected.Description
Versions of Nagios XI prior to 2012R2.4 are affected by an SQL injection vulnerability in the Nagios Core Configuration Manager. The Nagios Core Configuration Manager is a web-based configuration tool for Nagios XI and is based on the NagiosQL configuration tool. The vulnerability exists in the 'functions/prepend_adm.php' script, which fails to properly sanitize user-supplied input to the 'tfPassword' parameter before using it in database queries. An attacker could execute arbitrary SQL commands leading to manipulation or disclosure of arbitrary data.Solution
Upgrade to Nagios XI 2012R2.4 or later.See Also
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2012.TXT
Plugin Details
Severity: High
ID: 8369
Family: CGI
Published: 8/26/2014
Updated: 3/6/2019
Nessus ID: 71636
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: High
Base Score: 7.3
Temporal Score: 7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:nagios:nagios_xi
Patch Publication Date: 9/24/2013
Vulnerability Publication Date: 11/13/2013
Reference Information
CVE: CVE-2013-6875
BID: 63754