Short Name |
HTTP:NAGIOS-MAG-CND-INJ |
---|---|
Severity |
Major |
Recommended |
Yes |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Nagios XI Magpie cURL Argument Injection |
Release Date |
2018/12/20 |
Update Number |
3126 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
An argument injection vulnerability has been reported in the Magpie RSS module of Nagios XI. The vulnerability is due to insufficient validation of HTTPS URLs submitted to the magpie_debug.php script. A remote, unauthenticated attacker can exploit this vulnerability by sending a request containing a crafted URL parameter to the target system. Successful exploitation could result in the execution of arbitrary code as the apache user.
Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.