cbcvebase.
CVE-2019-12279
published 2019-05-22

CVE-2019-12279: Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as…

PriorityP356critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.22%
89.7th percentile
Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that can be done with the variable provided, and while the username value being passed does get used in a SQL query, it is passed through SQL escaping functions when creating the call. The vendor tried re-creating the issue with no luck

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi

Detection & IOCsextracted from sources · hover to see the quote

url/nagiosxi/login.php?forgotpass
path/nagiosxi/login.php
  • Monitor POST requests to /nagiosxi/login.php?forgotpass targeting the `username` parameter for SQL injection payloads in the reset password form.
  • Inspect the `username` field in the POST body of reset-password requests; the value is passed into a SQL query and is the injection point per the PoC.
  • The exploit targets Nagios XI version 5.6.1 specifically; flag or alert on exploitation attempts against this version.
  • The request uses Content-Type: application/x-www-form-urlencoded with pageopt=resetpass; correlate this parameter combination with anomalous username values as a detection signal.
  • ·The vendor disputes this as a valid SQL injection vulnerability, stating the username value is passed through SQL escaping functions and they were unable to reproduce exploitation.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.