{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2021-47693","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2025-10-29T19:30:49.133Z","datePublished":"2025-10-30T21:33:18.775Z","dateUpdated":"2025-11-17T18:21:42.360Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["Search feature – text query builder/endpoint"],"product":"XI","vendor":"Nagios","versions":[{"lessThan":"5.8.5","status":"affected","version":"0","versionType":"semver"}]}],"cpeApplicability":[{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*","versionEndExcluding":"5.8.5"}]}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.3 / Nagios XI 5.8.5 contains a SQL injection vulnerability in the search text handling.&nbsp;Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to unauthorized disclosure or modification of configuration and application data, and in some environments could allow further compromise of the application or backend database.<br>"}],"value":"The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.3 / Nagios XI 5.8.5 contains a SQL injection vulnerability in the search text handling. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to unauthorized disclosure or modification of configuration and application data, and in some environments could allow further compromise of the application or backend database."}],"impacts":[{"capecId":"CAPEC-66","descriptions":[{"lang":"en","value":"CAPEC-66 SQL Injection"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-89","description":"CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2025-11-17T18:21:42.360Z"},"references":[{"tags":["release-notes","patch"],"url":"https://www.nagios.com/changelog/nagios-xi/"},{"tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/nagios-xi-ccm-sqli-via-improper-escaping-in-search-text"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: rgb(255, 255, 255);\">Nagios addresses this vulnerability as \"</span>Fixed SQL injection from improper escaping of values in search text<span style=\"background-color: rgb(244, 247, 251);\">.</span><span style=\"background-color: rgb(255, 255, 255);\">\"</span><br>"}],"value":"Nagios addresses this vulnerability as \"Fixed SQL injection from improper escaping of values in search text.\""}],"source":{"discovery":"UNKNOWN"},"title":"Nagios XI < 5.8.5 Core Config Manager (CCM) SQL Injection via Improper Escaping in Search Text","x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-10-31T14:52:45.662353Z","id":"CVE-2021-47693","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-31T14:52:53.982Z"}}]}}