=====================================================================

                             CERT-Renater

                   Note d'Information No. 2021/VULN179
_____________________________________________________________________

DATE                : 04/05/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Nagios versions prior to 5.8.9.

=====================================================================
https://www.nagios.com/downloads/nagios-xi/change-log/
_____________________________________________________________________

5.8.9 - 04/28/2022

     Added peer verification when loading external URLs -SAW
     Updated Nagios Core to 4.4.7 -SAW
     Updated users account settings to require password confirmation
to change email (CVE-2022-29270) (Thanks Alwin Warringa) -JO

     Updated admin account settings to require password confirmation
to change password and email (CVE-2022-29270) (Thanks Alwin Warringa) -JO

     Updated automysqlbackup script to default root mysql password
if none is set [TPS#15739] -JO

     Fixed stored XSS security issue in Nagios BPI with the info URL
not being escaped properly -JO

     Fixed stored XSS security issue with command names having
no encoding in the apply config error text -JO

     Fixed stored XSS related to update checking -SAW

     Fixed redirect on login page where redirect parameter urls
could redirect user externally after login (CVE-2022-29272) (Thanks
Alwin Warringa) -JO

     Fixed issue in 5.8.0 upgrade for Debian and Ubuntu users -SAW

     Fixed scheduled report/send report email script allowing HTML
code to be used in the message field (CVE-2022-29269) (Thanks Alwin
Warringa) -JO

     Fixed scheduled downtime page allowing read-only users to
submit downtimes via crafted POST requests (CVE-2022-29271) (Thanks
Alwin Warringa) -JO


     Core Config Manager (CCM) - 3.1.7

     Fixed copying of service object not copying excludes for
Host/Hostgroups [TPS#15732] -JO

     Fixed reflected XSS security issue in lock page Cancel
button not urlencoding the returnurl value -JO

     Properly fixed XSS security issue in search input on audit
log page (thanks Hieu Tran(jkana101) from VCB STeam)) -JO


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================