==================================================================== CERT-Renater Note d'Information No. 2020/VULN496 _____________________________________________________________________ DATE : 04/09/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Nagios XI versions prior to 5.7.3. ===================================================================== https://www.nagios.com/downloads/nagios-xi/change-log/ _____________________________________________________________________ 5.7.3 - 09/03/2020 Added missing scheduled downtime comment data to Host/Service Status Details pages [TPS#15190] -JO Fixed search on services page to properly search in a case insensitive way [TPS#15241] -JO Fixed typo in Admin > Performance Settings max comment history age field [TPS#15227] -JO Fixed information tooltips in security popup during LDAP/AD user import [TPS#15247] -JO Fixed library path for mrtg2, in cfgmaker. In some OS versions, the path needs to be ../lib64/mrtg2, instead of ../lib/mrtg2 [TPS#15213] -LG Fixed library path for mrtg2, in mrtg. In some OS versions, the path needs to be ../lib64/mrtg2, instead of ../lib/mrtg2 [TPS#15213] -LG Fixed parameter problem_has_been_acknowledged not working on hoststatus and servicestatus API endpoints [TPS#15256] -JO Fixed backup/restore scripts to no longer copy over old nagiosmobile HTTPD config [TPS#15266] -JO Fixed issue with the parameter host_object_id (host_id works) not working with objects API calls [TPS#15263] -JO Fixed XSS security vulnerability in Admin -> Manage Users (Thanks Christian Weiler) [TPS#15277] -SAW Fixed XSS security vulnerability in Add/Manage Dashboard page and popup [TPS#15292]-JO Fixed privilege escalation in backend scripts ran as root where some included files were editable by nagios user (CVE-2020-15903) (thanks ERNW) -JO Fixed command injection vulnerability in report PDF Download (Thanks Christian Weiler) [TPS#15278] -SAW Fixed privilege escalation vulnerability in getprofile.sh (Thanks Christian Weiler) [TPS#15279] -SAW Fixed issue with Capacity Planning python script on Ubuntu 20.04 [TPS#15283] -JO Fixed Inbound Email Processing when using Outlook and other clients that use Windows line endings [TPS#15285] -JO Fixed clearner.php error on systems still running postgresql [TPS#15299] -JO Fixed Host/Servicegroup summary dashlets commands link not working while they are inside dashboards [TPS#15196] -JO Fixed Host/Service Details pages on smaller screen sizes having the record count/search bar overlap eachother [TPS#15304] -JO Fixed issues with Dark Theme Highcharts graphs to be more readable and usable -JO ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================