==================================================================== CERT-Renater Note d'Information No. 2020/VULN574 _____________________________________________________________________ DATE : 16/10/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Nagios XI versions prior to 5.7.4. ===================================================================== https://www.nagios.com/downloads/nagios-xi/change-log/ _____________________________________________________________________ 5.7.4 - 10/15/2020 Fixed issue with mysqladmin credentials not being set when creating a support Profile [TPS#15324] -JO Fixed SQL injection vulnerability in the edit page for SNMP Trap Interface (thanks Matthew Aberegg) -JO Fixed typos in Deploy Agent page [TPS#15336] -JO Fixed issue with servicegroup_name not being populated in schedule downtime popup on Service Group Grid/Overview pages [TPS#15328] -JO Fixed search box autocomplete not working on Host/Service Details pages -JO Fixed Auto Discovery component when scheduling a recurring scan at either 12 AM or PM [TPS#15342] -JO Fixed issue when updating a single component using the install button on the Manage Components page [TPS#15337] -JO Fixed renaming objects via PUT request in API with only a name change causing apply config issues [TPS#15156] -JO Fixed Recurring Scheduled Downtime for limited users services not showing up [TPS#15354] -SS,JO Fixed CSRF security vulnerabilities in Manage MIBs page and SNMP Trap Interface (thanks Chris Lyne of Tenable) -JO Fixed RCE security vulnerability in the Manage MIBs page (thanks Chris Lyne of Tenable) -JO Fixed Command Argument Injection vulnerability in SNMP Trap Interface (thanks Chris Lyne of Tenable) -JO Fixed Nagios BPI issues with newer systems with newer versions of git cmd using an invalid cmdline parameter -JO Fixed issue with filtered output in SLA/Availability report when advanced options are set [TPS#15358] -JO Fixed empty pending host/service check that could show up after hard system reset -JO Core Config Manager (CCM) - 3.0.7 Fixed various XSS sercurity vulnerabilities in the object edit pages (thanks Matthew Aberegg) -JO Fixed various SQL injection security vulnerabilities in the object edit pages (thanks Matthew Aberegg) -JO Fixed bug in the CCM Audit Log page which would not allow searching -JO NDO - 3.0.4 Fixed issue with downtime brokering on startup Fixed logging of failed queries for WRITE_HOSTS/WRITE_SERVICES/WRITE_CONTACTS Fixed blank host/service status rows that may get added during a hard restart ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================