CVE-2020-28911

Name of the Vulnerable Software and Affected Versions Nagios Fusion versions 4.1.8 and earlier

Description The issue is related to incorrect access control, allowing low-privileged authenticated users to extract passwords used to manage fused servers. This can be achieved via the test server command in ajaxhelper.php. The vulnerability is associated with insecure storage of confidential information, which can be exploited by a remote attacker to gain access to user passwords.

Recommendations For Nagios Fusion versions 4.1.8 and earlier, consider disabling the test server command in ajaxhelper.php as a temporary workaround to minimize the risk of exploitation. Restrict access to ajaxhelper.php to prevent low-privileged users from extracting sensitive information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.