CVE-2020-28910: 
Nagios XI vulnerability analysis and mitigation

Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh (Skylight Cyber, Hacker News).

The vulnerability exists due to insecure permissions in the getprofile.sh script, which can be executed as sudo from both nagios and apache user contexts. The script reads the last 100 lines of /usr/local/nagiosxi/tmp/phpmailer.log and writes it to /usr/local/nagiosxi/var/components/profile/$folder/phpmailer.log. Since both file locations are writable by the apache user, an attacker can modify the content of phpmailer.log and use symlinks to write data to arbitrary locations, ultimately achieving privilege escalation to root (Skylight Cyber).

The vulnerability allows a local, low-privileged authenticated user to elevate privileges to root by exploiting the insecure file permissions and symlink handling. This gives the attacker full control over the affected Nagios XI system (GBHackers).

The vulnerability was fixed in versions after Nagios XI 5.7.5. Users should upgrade to the latest version to mitigate this security issue (Hacker News).

The vulnerability was part of a larger disclosure of 13 critical vulnerabilities in Nagios products that gained significant attention in the cybersecurity community. Security researchers emphasized that the effort required to find and exploit these vulnerabilities is minimal for sophisticated attackers, particularly nation-states (Skylight Cyber).