The Nagios XI network monitoring software has been found to have a number of security weaknesses that could lead to information exposure and privilege escalation. The four security flaws affect Nagios XI versions 5.11.1 and lower and are tagged as CVE-2023-40931 through CVE-2023-40934. They have been patched as of September 11, 2023, with the release of version 5.11.2, after responsible disclosure on August 4, 2023.
According to Outpost24 researcher Astrid Tedenbrant, “Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934) allow users, with various levels of privileges, to access database fields via SQL Injections.” “The data obtained from these vulnerabilities may be used to further escalate privileges in the product and obtain sensitive user data, such as password hashes and API tokens.”