Description
SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Denis Andzakovic · textremotephp
https://www.exploit-db.com/exploits/38827
References (3)
Core 3
Core References
Various Sources x_refsource_confirm
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2012.TXT
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/55695
Scores
EPSS
0.1974
EPSS Percentile
95.5%
Details
CWE
CWE-89
Status
published
Products (15)
nagios/nagios_xi
2012 rc2 (3 CPE variants)
nagios/nagios_xi
2012r1.0
nagios/nagios_xi
2012r1.1
nagios/nagios_xi
2012r1.2
nagios/nagios_xi
2012r1.3
nagios/nagios_xi
2012r1.4
nagios/nagios_xi
2012r1.5
nagios/nagios_xi
2012r1.6
nagios/nagios_xi
2012r1.7
nagios/nagios_xi
2012r1.8
... and 5 more
Published
Nov 26, 2013
Tracked Since
Feb 18, 2026