CVE-2023-40934

Name of the Vulnerable Software and Affected Versions Nagios XI versions 5.11.1 and earlier

Description The issue is related to a SQL injection vulnerability in the Core Configuration Manager of Nagios XI. This vulnerability is caused by the lack of protection against SQL query structure manipulation when handling the tfFirstNotif, tfLastNotif, and tfNotifInterval parameters. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code. The vulnerability can be exploited by authenticated attackers with privileges to manage host escalations in the Core Configuration Manager, allowing them to execute arbitrary SQL commands via the host escalation notification settings.

Recommendations For Nagios XI versions 5.11.1 and earlier, consider disabling the Core Configuration Manager or restricting access to it until a patch is available. As a temporary workaround, avoid using the tfFirstNotif, tfLastNotif, and tfNotifInterval parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.