CVE-2023-40933

Name of the Vulnerable Software and Affected Versions Nagios XI versions 5.11.1 and below

Description The issue is related to a SQL injection vulnerability in the update banner message() function of the Nagios XI monitoring tool. This vulnerability arises from inadequate protection of the SQL query structure when processing the ID parameter. Exploitation of this vulnerability can allow a remote attacker to gain unauthorized access to protected information and execute arbitrary code. The attacker must have authenticated access and privileges to configure announcement banners.

Recommendations For Nagios XI versions 5.11.1 and below, as a temporary workaround, consider disabling the update banner message() function until a patch is available. Restrict access to the announcement banner configuration privileges to minimize the risk of exploitation. Avoid using the ID parameter in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.