Vulnerability Description
The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple SQL injection vulnerabilities in the object edit pages. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to unauthorized disclosure or modification of configuration and application data, and in some environments could allow further compromise of the application or backend database.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nagios | Nagios Xi | < 5.7.4 |
Related Weaknesses (CWE)
References
- https://www.nagios.com/changelog/nagios-xi/Release Notes
- https://www.vulncheck.com/advisories/nagios-xi-ccm-sqli-via-object-edit-pagesThird Party Advisory
FAQ
What is CVE-2020-36859?
CVE-2020-36859 is a vulnerability with a CVSS score of 8.8 (HIGH). The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple SQL injection vulnerabilities in the object edit pages. Unsanitized user-supplied input was i...
How severe is CVE-2020-36859?
CVE-2020-36859 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-36859?
Check the references section above for vendor advisories and patch information. Affected products include: Nagios Nagios Xi.