Multiple security flaws have been disclosed in Nagios XI network monitoring software that could lead to privilege escalation and information disclosure.
The four security vulnerabilities, tracked CVE-2023-40931 through CVE-2023-40934, affect Nagios XI versions 5.11.1 and below. After responsible disclosure on August 4, 2023, these patch applied As of September 11, 2023, version 5.11.2 has been released.
“Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934) allow users with varying levels of privilege to access database fields via SQL injection. ” said Outpost24 researcher Astrid Tedenbrant. Said.
“The data obtained from these vulnerabilities could be used to further escalate privileges within the product and obtain sensitive user data such as password hashes and API tokens.”
CVE-2023-40932, on the other hand, is related to a cross-site scripting (XSS) flaw in the Custom Logo component that can be used to read sensitive data such as cleartext passwords from login pages.
Below is a list of defects.
- CVE-2023-40931 – SQL injection in banner authorization endpoint
- CVE-2023-40932 – Cross-site scripting with custom logo components
- CVE-2023-40933 – SQL injection in notification banner settings
- CVE-2023-40934 – SQL injection in Core Configuration Manager (CCM) host/service escalation
Three SQL injection vulnerabilities could allow an authenticated attacker to execute arbitrary SQL commands, and an XSS bug could be exploited to inject arbitrary JavaScript and modify page data. May be read and modified.
This is not the first time a security issue has been revealed with Nagios XI. In 2021, Skylight Cyber and Claroty discovered up to 24 flaws that could be exploited to hijack infrastructure and remotely execute code.