Several security flaws have been disclosed in the Nagios XI network checking software program that could outcome in privilege escalation and information disclosure.
The four security vulnerabilities, tracked from CVE-2023-40931 by way of CVE-2023-40934, impact Nagios XI variations 5.11.1 and lessen. Next dependable disclosure on August 4, 2023, They have been patched as of September 11, 2023, with the release of model 5.11.2.
“A few of these vulnerabilities (CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934) allow customers, with numerous concentrations of privileges, to entry databases fields through SQL Injections,” Outpost24 researcher Astrid Tedenbrant explained.
“The data acquired from these vulnerabilities might be applied to more escalate privileges in the product or service and get sensitive consumer facts these types of as password hashes and API tokens.”
CVE-2023-40932, on the other hand, relates to a cross-site scripting (XSS) flaw in the Tailor made Emblem part that could be utilised to examine delicate facts, which include cleartext passwords from the login webpage.
The record of flaws is described beneath –
- CVE-2023-40931 – SQL Injection in Banner acknowledging endpoint
- CVE-2023-40932 – Cross-Web site Scripting in Custom Symbol Part
- CVE-2023-40933 – SQL Injection in Announcement Banner Configurations
- CVE-2023-40934 – SQL Injection in Host/Service Escalation in the Core Configuration Supervisor (CCM)
Thriving exploitation of the a few SQL injection vulnerabilities could permit an authenticated attacker to execute arbitrary SQL commands, even though the XSS bug could be exploited to inject arbitrary JavaScript and go through and modify web site data.
This is not the to start with time security issues have been uncovered in Nagios XI. In 2021, Skylight Cyber and Claroty identified as many as two dozen flaws that could be abused to hijack the infrastructure and accomplish distant code execution.
Identified this short article interesting? Follow us on Twitter and LinkedIn to study far more exclusive content we submit.
Some parts of this article are sourced from:
thehackernews.com