CVE-2012-10063

CVE-2012-10063 is a SQL injection vulnerability (CWE-89) affecting Nagios XI versions prior to 2012R1.3, specifically in the legacy Core Configuration Manager (CCM) interface. The flaw allows authenticated users to manipulate SQL queries by supplying crafted input to certain CCM parameters, enabling unauthorized access to configuration data stored in the application's database. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high potential for confidentiality, integrity, and availability impacts.

An attacker with authenticated access to the Nagios XI instance can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables disclosure or modification of notification data and, in some cases, broader impacts on the application database, such as unauthorized data access or alteration.

Mitigation involves upgrading to Nagios XI 2012R1.3 or later, as indicated by the affected version range. Additional details are available in the Nagios XI changelog at https://www.nagios.com/changelog/nagios-xi/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/nagios-xi-authenticated-sqli-in-legacy-ccm.