CVE-2020-36857 | THREATINT

Description

Nagios XI versions prior to 5.6.14 contain a post-authentication SQL injection vulnerability in the SNMP Trap Interface page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized disclosure or modification of application data or execution of arbitrary SQL commands against the backend database.

PUBLISHED Reserved 2025-10-21 | Published 2025-10-30 | Updated 2025-10-31 | Assigner VulnCheck

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

Any version before 5.6.14

affected

Credits

IBM X-Force Exchange finder

References

www.nagios.com/products/security/ vendor-advisory patch

www.nagios.com/changelog/nagios-xi/ release-notes patch

www.vulncheck.com/...cated-sqli-via-snmp-trap-interface-page third-party-advisory

cve.org (CVE-2020-36857)

nvd.nist.gov (CVE-2020-36857)

Download JSON