PT-2019-12731 · Nagios · Nagios Xi
Jameelnabbo
·
Published
2019-05-22
·
Updated
2024-08-05
·
CVE-2019-12279
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Nagios XI version 5.6.1
Description
The issue concerns a potential SQL injection via the
username parameter to "login.php?forgotpass" (also known as the reset password form). However, the vendor disputes this as a vulnerability, stating that the proof of concept does not demonstrate a valid SQL injection and that the username value is passed through SQL escaping functions when creating the SQL query.Recommendations
For Nagios XI version 5.6.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nagios Xi