CVE-2019-12279

** DISPUTED ** Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that can be done with the variable provided, and while the username value being passed does get used in a SQL query, it is passed through SQL escaping functions when creating the call. The vendor tried re-creating the issue with no luck.
Configurations

Configuration 1

cpe:2.3:a:nagios:nagios_xi:5.6.1:*:*:*:*:*:*:*

Information

Published : 2019-05-22 04:29

Updated : 2019-08-09 07:15


NVD link : CVE-2019-12279

Mitre link : CVE-2019-12279

Products Affected
No products.
CWE