Nagios XI 5.6.1 SQL Injection Vulnerability in login.php?forgotpass

Nagios XI 5.6.1 SQL Injection Vulnerability in login.php?forgotpass

CVE-2019-12279 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that can be done with the variable provided, and while the username value being passed does get used in a SQL query, it is passed through SQL escaping functions when creating the call. The vendor tried re-creating the issue with no luck

Learn more about our Cis Benchmark Audit For Apple Ios.