Nagios XI Multiple CSRF
Nagios XI 2009R1.2B and prior are vulnerable to multiple cross-site request forgery (CSRF) vulnerabilities. To be exploited these vulnerabilities require that the nagiosadmin be logged into the web interface (but not the configuration manager). To demonstrate some potential impact of these vulnerabilities the technical description contains a chained exploit that can create a simple web shell on the targetted nagios system.
It is recommended to upgrade to Nagios XI 2009R1.2C
I would like to thank the Nagios sales staff for quickly responding, notifying the developers and producing fixes relatively quickly.
Nagios XI Login XSS
The login page for the Nagios XI management interface prior to version 2009R1.3 is vulnerable to cross-site scripting (XSS). This vulnerability does not require the victim to be authenticated.
Vendor recommends upgrading to version 2009R1.3
Nagios XI users.php SQL Injection
Nagios XI prior to version 2009R1.3 is vulnerable to SQL Injection. It is possible for specially designed queries to extract data via the database error messages. Authentication and access to users.php is required. It is possible to also use this SQL injection has a remote XSS vector as the error message is not properly sanitized.