CVE-2024-22196: 
Nginx UI vulnerability analysis and mitigation

Nginx-UI, an online statistics tool for Server Indicators that monitors CPU usage, memory usage, load average, and disk usage in real-time, was found to contain a vulnerability identified as CVE-2024-22196. The vulnerability was discovered in versions prior to v2.0.0.beta.9 and was patched in version 2.0.0.beta.9. This security issue involves improper validation of query parameters that could lead to information disclosure (GitHub Advisory).

The vulnerability stems from the improper handling of query parameters in the OrderAndPaginate function. The function uses DefaultQuery for the 'order' and 'sort_by' parameters, where the values 'desc' and 'id' are used as default values if the query parameters are not set. These user-controlled parameters are appended to the order variable without proper sanitization, leading to potential SQL injection. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) by NIST with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, while GitHub assessed it at 7.0 (HIGH) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L (NVD).

The vulnerability can lead to information disclosure through SQL injection. An authenticated user with user role privileges can manipulate the query parameters to potentially extract unauthorized information from the database (GitHub Advisory).

The vulnerability has been patched in version 2.0.0.beta.9. Users are advised to upgrade to this version or later to address the security issue. The fix includes validation of the sort query to prevent SQL injection (GitHub Patch).