Researchers discovered four vulnerabilities (CVE-2023-40931, CVE-2023-40932, CVE-2023-40933, CVE-2023-40934) in the Nagios XI network and IT infrastructure monitoring solution that could lead to information disclosure and privilege escalation.
Nagios XI provides monitoring of all mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. It is used by thousands of organizations worldwide.
Outpost24 researcher Astrid Tedenbrant discovered the issues during some standard research.
The flaws impact Nagios XI version 5.11.1 and lower. The CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934 vulnerabilities are SQL Injection issues. An attacker can trigger the flaws to escalate privileges in the product and obtain sensitive user data, including password hashes and API tokens.
The vulnerability CVE-2023-40932 is a cross-site scripting flaw via the Custom Logo component. An attacker can trigger the flaw to read and modify page data, including plain-text passwords from login forms.
“Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934) allow users, with various levels of privileges, to access database fields via SQL Injections. The data obtained from these vulnerabilities may be used to further escalate privileges in the product and obtain sensitive user data such as password hashes and API tokens.” reads the post published by Outpost24. “The fourth vulnerability (CVE-2023-40932) allows Cross-Site Scripting via the Custom Logo component, which will render on every page, including the login page. This may be used to read and modify page data, such as plain-text passwords from login forms.”
The company addressed the vulnerabilities on September 11, 2023, with the release of version 5.11.2.
In September 2021, researchers from industrial cybersecurity firm Claroty discovered eleven vulnerabilities in Nagios.
The vulnerabilities could lead to server-side request forgery (SSRF), spoofing, local privilege escalation, remote code execution and information disclosure.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Nagios XI)