Home

Description

Nagios XI versions prior to 2012R1.3 contain a SQL injection vulnerability in the legacy Core Configuration Manager (CCM) interface. Authenticated users could manipulate SQL queries by supplying crafted input to specific CCM parameters, potentially allowing access to configuration data stored in the application database. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly.

PUBLISHED Reserved 2025-10-28 | Published 2025-10-30 | Updated 2025-10-31 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

Any version before 2012R1.3
affected

References

www.nagios.com/changelog/nagios-xi/ release-notes patch

www.vulncheck.com/...ios-xi-authenticated-sqli-in-legacy-ccm third-party-advisory

cve.org (CVE-2012-10063)

nvd.nist.gov (CVE-2012-10063)

Download JSON