Astrid Tedenbrant

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions 5.11.1 and earlier **Description** The issue is related to a SQL injection vulnerability in the Core Configuration Manager of Nagios XI. This vulnerability is caused by the lack of protection against SQL query structure manipulation when handling the `tfFirstNotif`, `tfLastNotif`, and `tfNotifInterval` parameters. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code. The vulnerability can be exploited by authenticated attackers with privileges to manage host escalations in the Core Configuration Manager, allowing them to execute arbitrary SQL commands via the host escalation notification settings. **Recommendations** For Nagios XI versions 5.11.1 and earlier, consider disabling the Core Configuration Manager or restricting access to it until a patch is available. As a temporary workaround, avoid using the `tfFirstNotif`, `tfLastNotif`, and `tfNotifInterval` parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions 5.11.0 through 5.11.1 **Description** A SQL injection issue allows authenticated attackers to execute arbitrary SQL commands via the `ID` parameter in the POST request to "/nagiosxi/admin/banner message-ajaxhelper.php". This vulnerability can be exploited by remote attackers to disclose protected information. **Recommendations** For Nagios XI versions 5.11.0 through 5.11.1, consider disabling the `banner message-ajaxhelper.php` script until a patch is available. Restrict access to the `/nagiosxi/admin/banner message-ajaxhelper.php` endpoint to minimize the risk of exploitation. Avoid using the `ID` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions 5.11.1 and below **Description** The issue is related to a SQL injection vulnerability in the update banner message() function of the Nagios XI monitoring tool. This vulnerability arises from inadequate protection of the SQL query structure when processing the `ID` parameter. Exploitation of this vulnerability can allow a remote attacker to gain unauthorized access to protected information and execute arbitrary code. The attacker must have authenticated access and privileges to configure announcement banners. **Recommendations** For Nagios XI versions 5.11.1 and below, as a temporary workaround, consider disabling the `update banner message()` function until a patch is available. Restrict access to the announcement banner configuration privileges to minimize the risk of exploitation. Avoid using the `ID` parameter in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions 5.11.1 and below **Description** A Cross-site scripting (XSS) vulnerability in the Custom Logo component allows authenticated attackers to inject arbitrary javascript or HTML via the `alt-text` field. This affects all pages containing the navbar, including the login page, enabling the attacker to steal plaintext credentials. The vulnerability can be exploited by remote attackers. **Recommendations** For Nagios XI versions 5.11.1 and below, consider disabling the Custom Logo component until a patch is available to prevent exploitation. Restrict access to the `alt-text` field in the Custom Logo component to minimize the risk of XSS attacks. As a temporary workaround, avoid using the Custom Logo component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.