← Back
2025-10-30 21:33CVE-2020-36859VulnCheck
PUBLISHED5.2CWE-89

Nagios XI < 5.7.4 Core Config Manager (CCM) SQL Injection via Object Edit Pages

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple SQL injection vulnerabilities in the object edit pages. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to unauthorized disclosure or modification of configuration and application data, and in some environments could allow further compromise of the application or backend database.

Problem type

Affected products

Nagios

XI

< 5.7.4 - AFFECTED

References

nagios.com

https://www.nagios.com/changelog/nagios-xi/

release-notespatch
vulncheck.com

https://www.vulncheck.com/advisories/nagios-xi-ccm-sqli-via-object-edit-pages

third-party-advisory

JSON source

Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2020-36859",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2025-10-31T14:51:05.332Z",
    "dateReserved": "2025-10-29T19:12:11.788Z",
    "datePublished": "2025-10-30T21:33:40.529Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2025-10-30T21:33:40.529Z"
      },
      "title": "Nagios XI < 5.7.4 Core Config Manager (CCM) SQL Injection via Object Edit Pages",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple SQL injection vulnerabilities in the object edit pages. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to unauthorized disclosure or modification of configuration and application data, and in some environments could allow further compromise of the application or backend database.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple SQL injection vulnerabilities in the object edit pages. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to unauthorized disclosure or modification of configuration and application data, and in some environments could allow further compromise of the application or backend database.<br>"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Nagios",
          "product": "XI",
          "modules": [
            "Web UI – CCM object edit pages (configuration object editors)"
          ],
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "5.7.4"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
              "cweId": "CWE-89",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.nagios.com/changelog/nagios-xi/",
          "tags": [
            "release-notes",
            "patch"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/nagios-xi-ccm-sqli-via-object-edit-pages",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-66",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-66 SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Nagios addresses this vulnerability as \"Fixed various SQL injection security vulnerabilities in the object edit pages.\"",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<span style=\"background-color: rgb(255, 255, 255);\">Nagios addresses this vulnerability as \"</span>Fixed various SQL injection security vulnerabilities in the object edit pages<span style=\"background-color: rgb(244, 247, 251);\">.</span><span style=\"background-color: rgb(255, 255, 255);\">\"</span><br>"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Matthew Aberegg",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-10-31T14:51:05.332Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}

Mitre source

https://cveawg.mitre.org/api/cve/CVE-2020-36859