CVE-2016-15050
Published: 30 October 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2016-15050 is a SQL injection vulnerability (CWE-89) in the notification search functionality of Nagios XI versions prior to 5.2.4. User-supplied search parameters are directly incorporated into SQL statements without adequate parameterization or sanitation, enabling an authenticated user to manipulate database queries.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely by an authenticated user with low privileges, requiring low complexity and no user interaction. Successful exploitation allows disclosure or modification of notification data and, in some cases, broader impacts on the application database.
Mitigation requires upgrading to Nagios XI version 5.2.4 or later. Additional details are provided in the Nagios XI changelog at https://www.nagios.com/changelog/nagios-xi/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/nagios-xi-sqli-in-notification-search.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability directly enables unauthorized database query manipulation for data disclosure (T1213.006) and modification (T1565.001) of notification and broader application database content.