| Product and Affected Versions: Product: Nagios XI (network monitoring software) Affected Versions: Nagios XI versions 5.11.1 and lower |
| Severity and CVE IDs: CVE-2023-40931 – SQL Injection in Banner acknowledging endpoint CVE-2023-40932 – Cross-Site Scripting in Custom Logo Component CVE-2023-40933 – SQL Injection in Announcement Banner Settings CVE-2023-40934 – SQL Injection in Host/Service Escalation in the Core Configuration Manager (CCM) |
| Vulnerabilities: CVE-2023-40931 – SQL Injection in Banner acknowledging endpoint: Severity: High Vulnerability: This vulnerability allows authenticated users to execute arbitrary SQL commands by injecting malicious SQL queries into the Banner acknowledging endpoint. CVE-2023-40932 – Cross-Site Scripting in Custom Logo Component: Severity: High Vulnerability: This flaw enables attackers to perform Cross-Site Scripting (XSS) attacks through the Custom Logo component. An attacker can inject arbitrary JavaScript, potentially leading to the reading of sensitive data, including cleartext passwords from the login page. CVE-2023-40933 – SQL Injection in Announcement Banner Settings: Severity: High Vulnerability: This vulnerability permits authenticated users to conduct SQL Injection attacks in Announcement Banner Settings, allowing them to execute arbitrary SQL commands. The attacker can potentially access sensitive data like password hashes and API tokens. CVE-2023-40934 – SQL Injection in Host/Service Escalation in the Core Configuration Manager (CCM): Severity: High Vulnerability: This security flaw enables authenticated users to perform SQL Injection attacks within the Core Configuration Manager (CCM). As a result, attackers can execute arbitrary SQL commands and potentially escalate privileges within the product. |
| How the Attack Works: – For CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934, attackers need to be authenticated users to exploit these SQL Injection vulnerabilities. They inject malicious SQL queries into the affected endpoints, allowing them to execute arbitrary SQL commands. This can lead to data extraction and privilege escalation. – For CVE-2023-40932, attackers can exploit the Cross-Site Scripting (XSS) vulnerability by injecting arbitrary JavaScript code through the Custom Logo component. This can lead to the reading of sensitive data, including passwords from the login page. |
| Remediations: – The vulnerabilities have been patched as of September 11, 2023, with the release of Nagios XI version 5.11.2. Users are strongly advised to update their Nagios XI installations to the latest patched version. – In addition to patching, it is essential to follow security best practices, such as restricting access to the application to authorized personnel only and regularly monitoring for any suspicious activity. |
| Reference: – The information regarding these vulnerabilities and their remediations can be found in the original source where they were disclosed. Users should refer to the official Nagios website or security advisories for detailed information on the vulnerabilities and updates. – For more information and specific details on these vulnerabilities, users can refer to the original disclosure by Outpost24 researcher Astrid Tedenbrant and any subsequent security advisories released by Nagios |
