cbcvebase.
CVE-2018-10735
published 2018-05-16

CVE-2018-10735: A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.

PriorityP259high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
42.56%
98.5th percentile
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.

Affected

11 ranges
VendorProductVersion rangeFixed in
bootstrap-sassbootstrap-sass>= 2.0.4 < 3.4.03.4.0
bootstrap-sassbootstrap-sass>= 2.0.4 < 3.4.03.4.0
getbootstrapbootstrap>= 0 < 4.0.0-beta.24.0.0-beta.2
getbootstrapbootstrap>= 2.0.4 < 3.4.03.4.0
getbootstrapbootstrap>= 2.0.4 < 3.4.03.4.0
getbootstrapbootstrap>= 4.0.0-beta < 4.0.0-beta.24.0.0-beta.2
getbootstrapbootstrap>= 4.0.0-beta < 4.0.0-beta.24.0.0-beta.2
nagiosnagios_xi5.2.0 – 5.2.9
nagiosnagios_xi>= 5.4.0 < 5.4.135.4.13
twbsbootstrap>= 2.0.4 < 3.4.03.4.0
twbsbootstrap>= 4.0.0-beta < 4.0.0-beta.24.0.0-beta.2

Detection & IOCsextracted from sources · hover to see the quote

path/nagiosql/admin/commandline.php
url{{BaseURL}}/nagiosql/admin/commandline.php?cname=%27%20union%20select%20concat(md5({{num}}))%23
  • Send a GET request to /nagiosql/admin/commandline.php with a SQL injection payload in the `cname` parameter (%27%20union%20select%20concat(md5(...))%23) and check if the MD5 hash of the injected integer appears in the response body.
  • Match the response body for the MD5 hash value corresponding to the injected random integer to confirm blind UNION-based SQL injection.
  • Use Shodan query `http.title:"nagios xi"` or FOFA queries `app="Nagios-XI"`, `title="nagios xi"`, `app="nagios-xi"` to identify exposed Nagios XI instances for targeting.
  • ·Exploitation requires authentication as an administrator (PR:H); the SQL injection is only reachable by authenticated admin users.
  • ·The vulnerability affects Nagios XI versions up to and including 5.4.12; version 5.4.13 and later are not affected.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.