CVE-2020-28905: 
NixOS vulnerability analysis and mitigation

Improper Input Validation in Nagios Fusion 4.1.8 and earlier allows an authenticated attacker to execute remote code via table pagination. The vulnerability was discovered in October 2020 and fixed in November 2020 (Skylight Cyber, Hacker News).

The vulnerability exists in the table pagination functionality where an encoded blob containing information for multi-page tables can include PHP code that gets evaluated by the application. The evaluation occurs in the getpagedtable() function within nagiosfusion/html/includes/utils/pagination.inc.php through the PHP eval() function. The $column['eval'] value can be controlled through the table_data HTTP request parameter, allowing injection of arbitrary PHP code (Skylight Cyber).

A successful exploitation allows an authenticated attacker to execute arbitrary PHP code on the Nagios Fusion server with apache user privileges. This can be chained with other vulnerabilities to gain root access and potentially compromise the entire monitoring infrastructure (Skylight Cyber, Hacker News).

The vulnerability was patched in November 2020. Organizations should upgrade their Nagios Fusion installations to versions newer than 4.1.8 to protect against this vulnerability (Hacker News).

The vulnerability was part of a larger disclosure of 13 vulnerabilities in Nagios products that gained significant attention in the security community. Researchers emphasized how the relatively low effort required to find these vulnerabilities highlights potential risks in widely-deployed monitoring solutions (Skylight Cyber).