Improper Neutralization of Special Elements in Output Used by a Downstream Component in Nagios - CVE-2020-13977
Published: June 9, 2020 / Updated: August 8, 2020
Vulnerability identifier: #VU34362
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-13977
CWE-ID: CWE-74
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Nagios
Nagios
Software vendor:
nagios.org
nagios.org
Description
The vulnerability allows a remote privileged user to manipulate data.
Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been mistakenly associated with CVE-2020-1408.
Remediation
Install update from vendor's website.