CVE-2018-10736
published 2018-05-16CVE-2018-10736: A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
PriorityP259high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
42.56%
98.5th percentile
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linuxfoundation | ceph | >= 0 < 15.2.7-0ubuntu0.20.04.2 | 15.2.7-0ubuntu0.20.04.2 |
| nagios | nagios_xi | 5.2.0 – 5.2.9 | — |
| nagios | nagios_xi | >= 5.4.0 < 5.4.13 | 5.4.13 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for GET requests to /nagiosql/admin/info.php with a key1 parameter containing SQL UNION SELECT payloads (e.g., single-quote followed by UNION SELECT and md5/concat functions)
- →Match HTTP response body for an md5 hash value echoed back, indicating successful blind/union-based SQL injection via the key1 parameter
- →Shodan query 'http.title:"nagios xi"' can be used to identify exposed Nagios XI instances potentially vulnerable to this SQLi
- →FOFA/Google dork queries targeting Nagios XI: app="Nagios-XI", title="nagios xi", intitle:"nagios xi" can surface vulnerable hosts
- ·Exploitation requires authenticated administrator credentials (PR:H), limiting unauthenticated exploitation ↗
- ·The vulnerability affects Nagios XI versions up to and including 5.4.12; version 5.4.13 and later are patched ↗
- ·The PoC uses a random integer (rand_int 2000000000–2100000000) as a canary value whose md5 is reflected in the response body to confirm injection; detection logic depends on this reflection
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j8cm-m5ww-6q5x: A SQL injection issue was discovered in Nagios XI before 5
ghsa_unreviewed·2022-05-14
CVE-2018-10736 [HIGH] CWE-89 GHSA-j8cm-m5ww-6q5x: A SQL injection issue was discovered in Nagios XI before 5
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
OSV
ceph vulnerabilities
osv·2021-01-28·CVSS 7.5
CVE-2020-10736 ceph vulnerabilities
ceph vulnerabilities
Olle Segerdahl found that ceph-mon and ceph-mgr daemons did not properly
restrict access, resulting in gaining access to unauthorized resources. An
authenticated user could use this vulnerability to modify the configuration and
possibly conduct further attacks. (CVE-2020-10736)
Adam Mohammed found that Ceph Object Gateway was vulnerable to HTTP header
injection via a CORS ExposeHeader tag. An attacker could use this to gain access
or cause a crash. (CVE-2020-10753)
Ilya Dryomov found that Cephx authentication did not verify Ceph clients
correctly and was then vulnerable to replay attacks in Nautilus. An attacker
could use the Ceph cluster network to authenticate via a packet sniffer and
perform actions. This issue is a reintroduction of CVE-2018-1128.
(CVE-2020-2566
No detection rules found.
Nuclei
NagiosXI <= 5.4.12 - SQL injection
nuclei·CVSS 7.2
CVE-2018-10736 [HIGH] NagiosXI <= 5.4.12 - SQL injection
NagiosXI <= 5.4.12 - SQL injection
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
Template:
id: CVE-2018-10736
info:
name: NagiosXI <= 5.4.12 - SQL injection
author: DhiyaneshDK
severity: high
description: |
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
impact: |
Authenticated administrators can execute arbitrary SQL commands to access, modify, or delete database contents, potentially compromising the entire Nagios XI instance.
remediation: |
Upgrade to Nagios XI version 5.4.13 or later.
reference:
- https://github.com/0ps/pocassistdb
- https://github.com/jweny/pocassistdb
- https://vulners.com/seebug/SSV:97266
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C
2018-05-16
Published