– [CVEID] CVE-2020–6584
– [PRODUCT] Nagios Log Server
– [VERSION] 2.1.3
– [PROBLEM TYPE] Incorrect Access Control
– [DESCRIPTION] An attacker can steal csrf_ls and PHPSESSID of an admin and later can perform actions using it. This attack is possible using privilege escalation vulnerability, where the user with limited access can store the “query” for all user.
– [CVEID] CVE-2020–6586
– [PRODUCT] Nagios Log Server
– [VERSION] 2.1.3
– [PROBLEM TYPE] Cross-Site Scripting
– [DESCRIPTION] This vulnerability allows remote attackers to inject own malicious script code to the client-side application to browser requests to compromise user-session information or data.
– [CVEID] CVE-2020–6585
– [PRODUCT] Nagios Log Server
– [VERSION] 2.1.3
– [PROBLEM TYPE] CSRF
– [DESCRIPTION] By exploiting this issue any malicious user can perform actions they want to by sending the link to the victim.