CVE-2020-36859

CVE-2020-36859 is a set of multiple SQL injection vulnerabilities (CWE-89) affecting the Core Config Manager (CCM) component in Nagios XI versions prior to CCM 3.0.7 and Nagios XI 5.7.4. The flaws reside in the object edit pages, where unsanitized user-supplied input is directly incorporated into SQL queries executed by configuration object editors. This allows attackers to inject malicious SQL fragments. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

Authenticated users with low privileges can exploit these vulnerabilities remotely over the network with low complexity and no user interaction required. Successful exploitation enables unauthorized disclosure or modification of configuration and application data stored in the database. In certain environments, this could escalate to broader compromise of the Nagios XI application or the underlying backend database.

Mitigation involves upgrading to CCM 3.0.7 or Nagios XI 5.7.4 or later, as indicated by the affected version boundaries. Additional details on patches and remediation are available in the Nagios XI changelog at https://www.nagios.com/changelog/nagios-xi/ and the Vulncheck advisory at https://www.vulncheck.com/advisories/nagios-xi-ccm-sqli-via-object-edit-pages.