Description

An SQL injection vulnerability has been discovered within the login functionality of Nagios Core Config Manager. This vulnerability exists due to the password field not being validated before being used to construct an SQL query on-the-fly. SQL Injection allows a malicious entity to execute arbitrary SQL statements. This vulnerability was discovered within the Nagios Core Config Manager shipped within the Nagios XI virtual appliance, which can be found under http://<vmlocation>/nagiosql/index.php

Remediation

Upgrade to the latest version of Nagios.

References

Nagios Core Config Manager SQLi vulnerability

Nagios changelog

Related Vulnerabilities

WordPress Plugin Welcart e-Commerce Multiple SQL Injection Vulnerabilities (1.5.2)

WordPress Plugin Olimometer SQL Injection (2.56)

WordPress Plugin Portfolio Responsive Gallery SQL Injection (1.1.7)

WordPress Plugin Google Doc Embedder SQL Injection (2.5.16)

WordPress Plugin WP Bannerize 'ajax_clickcounter.php' SQL Injection (2.8.6)

Severity

High

Classification

CVE-2013-6875 CWE-89 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

SQL Injection