CVE-2021-25298

Name of the Vulnerable Software and Affected Versions Nagios XI version xi-5.7.5

Description The issue is related to OS command injection due to improper sanitization of authenticated user-controlled input by a single HTTP request. This can lead to OS command injection on the Nagios XI server. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php.

Recommendations For Nagios XI version xi-5.7.5, consider disabling access to the vulnerable file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php until a patch is available. Restrict access to the cloud-vm.inc.php file to minimize the risk of exploitation. Avoid using the affected HTTP request endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.