Nagios XI’s network monitoring application has unveiled a series of security issues that could potentially lead to elevated privileges and data breaches.
The set of vulnerabilities, enumerated from CVE-2023-40931 to CVE-2023-40934, pertains to Nagios XI iterations 5.11.1 and preceding versions. These vulnerabilities were responsibly reported on August 4, 2023, and subsequent patches were applied on September 11, 2023, coinciding with the rollout of version 5.11.2.
Outpost24’s security analyst, Astrid Tedenbrant, commented, “Among the disclosed issues, CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934 permit individuals of differing access rights to probe database entries through SQL Injections. Data gathered from these weak points could pave the way for even greater system access and extraction of confidential data, including password encryptions and API keys.”
In contrast, CVE-2023-40932 is associated with a cross-site scripting (XSS) glitch found in the Custom Logo feature, which might enable the extraction of plaintext passwords directly from the login interface.
The vulnerabilities are outlined as follows:
- CVE-2023-40931 – SQL Breach via Banner acknowledgment interface
- CVE-2023-40932 – XSS Issue within the Custom Logo Module
- CVE-2023-40933 – SQL Breach within Announcement Banner Configurations
- CVE-2023-40934 – SQL Breach during Host/Service Escalation in the Central Configuration Hub (CCH)
Historically, this isn’t the maiden instance of security discrepancies being identified in Nagios XI. In the past year, both Skylight Cyber and Claroty pinpointed an array of vulnerabilities that had the potential to compromise system infrastructure and trigger remote command execution.