CVE-2023-40933: 
Nagios XI vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in Nagios XI version 5.11.1 and below, identified as CVE-2023-40933. The vulnerability allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the updatebannermessage() function. The vulnerability was disclosed on September 19, 2023, and was patched with the release of version 5.11.2 on September 11, 2023 (Outpost24 Blog).

The vulnerability exists in the Announcement Banner settings functionality of Nagios XI. When performing the 'updatebannermessage_settings' action on the '/nagiosxi/admin/banner message-ajaxhelper.php' endpoint, the 'id' parameter is processed without proper sanitization and is directly concatenated into a database query. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized access to sensitive data stored in the database. The attacker could retrieve sensitive information such as password hashes and API tokens, which could be used for further privilege escalation within the system (Outpost24 Blog).

Users are advised to upgrade to Nagios XI version 5.11.2 or later, which contains the security fix for this vulnerability. The patch was released on September 11, 2023, as part of a security update that addressed multiple vulnerabilities (Outpost24 Blog).