Multiple security flaws have been disclosed in the Nagios XI network monitoring software that could result in privilege escalation and information disclosure.
The four security vulnerabilities, tracked from CVE-2023-40931 through CVE-2023-40934, impact Nagios XI versions 5.11.1 and lower. Following responsible disclosure on August 4, 2023, They have been patched as of September 11, 2023, with the release of version 5.11.2.
The list of flaws is described below –
- CVE-2023-40931 – SQL Injection in Banner acknowledging endpoint
- CVE-2023-40932 – Cross-Site Scripting in Custom Logo Component
- CVE-2023-40933 – SQL Injection in Announcement Banner Settings
- CVE-2023-40934 – SQL Injection in Host/Service Escalation in the Core Configuration Manager (CCM)
Successful exploitation of the three SQL injection vulnerabilities could permit an authenticated attacker to execute arbitrary SQL commands, while the XSS bug could be exploited to inject arbitrary JavaScript and read and modify page data.
This is not the first time security issues have been uncovered in Nagios XI. In 2021, Skylight Cyber and Claroty discovered as many as two dozen flaws that could be abused to hijack the infrastructure and achieve remote code execution.
Source: https://thehackernews.com/