cbcvebase.
CVE-2018-10737
published 2018-05-16

CVE-2018-10737: A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.

PriorityP275high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
42.56%
98.5th percentile
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi5.2.0 – 5.2.9
nagiosnagios_xi>= 5.4.0 < 5.4.135.4.13

Detection & IOCsextracted from sources · hover to see the quote

path/nagiosql/admin/logbook.php
commandtxtSearch=' and (select 1 from(select count(*),concat((select (select (select md5({{num}}))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#
  • Look for POST requests to /nagiosql/admin/logbook.php containing SQL injection patterns in the txtSearch parameter, specifically error-based injection using GROUP BY with floor(rand(0)*2) and information_schema.tables.
  • Shodan query 'http.title:"nagios xi"' can be used to identify exposed Nagios XI instances potentially vulnerable to this CVE.
  • FOFA/Google dork queries targeting Nagios XI: app="Nagios-XI", title="nagios xi", app="nagios-xi", intitle:"nagios xi" can identify attack surface.
  • The exploit is authenticated (requires high privileges, PR:H) and targets the txtSearch POST parameter with a classic error-based SQL injection payload using GROUP BY duplicate key error technique.
  • ·Vulnerability affects Nagios XI versions up to and including 5.4.12; version 5.4.13 and later are patched.
  • ·Exploitation requires authenticated administrator-level access (CVSS PR:H), limiting the attack surface to privileged accounts.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.