Several security flaws have been disclosed in the Nagios XI network monitoring application that could end result in privilege escalation and details disclosure.
The 4 security vulnerabilities, tracked from CVE-2023-40931 as a result of CVE-2023-40934, affect Nagios XI variations 5.11.1 and reduced. Adhering to accountable disclosure on August 4, 2023, They have been patched as of September 11, 2023, with the release of version 5.11.2.
“3 of these vulnerabilities (CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934) enable users, with several levels of privileges, to obtain databases fields by using SQL Injections,” Outpost24 researcher Astrid Tedenbrant stated.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“The information attained from these vulnerabilities may perhaps be utilized to more escalate privileges in the solution and get hold of sensitive user information such as password hashes and API tokens.”
CVE-2023-40932, on the other hand, relates to a cross-web-site scripting (XSS) flaw in the Customized Emblem element that could be made use of to go through delicate knowledge, such as cleartext passwords from the login webpage.
The checklist of flaws is explained below –
- CVE-2023-40931 – SQL Injection in Banner acknowledging endpoint
- CVE-2023-40932 – Cross-Site Scripting in Tailor made Brand Component
- CVE-2023-40933 – SQL Injection in Announcement Banner Configurations
- CVE-2023-40934 – SQL Injection in Host/Assistance Escalation in the Core Configuration Supervisor (CCM)
Thriving exploitation of the 3 SQL injection vulnerabilities could allow an authenticated attacker to execute arbitrary SQL instructions, although the XSS bug could be exploited to inject arbitrary JavaScript and study and modify web page data.
This is not the initially time security issues have been uncovered in Nagios XI. In 2021, Skylight Cyber and Claroty learned as a lot of as two dozen flaws that could be abused to hijack the infrastructure and reach distant code execution.
Observed this article attention-grabbing? Observe us on Twitter and LinkedIn to examine additional special material we write-up.
Some parts of this write-up are sourced from:
thehackernews.com
Do You Really Trust Your Web Application Supply Chain?