4.1.9

The following vulnerabilities were mitigated: (Thanks to Shahar Zini and Samir Ghanem from Skylight Cyber Security for reporting them)
Fixed XSS in several dashlets when attacker has control over fused server (CVE-2020-28903) – SAW
Fixed authenticated remote code execution (from the context of a low-privilege user) (CVE-2020-28905) – SAW
Fixed privilege escalation from apache to nagios via command injection in cmd_subsys.php (CVE-2020-28902) – SAW
Fixed privilege escalation from apache to nagios via command injection in cmd_subsys.php (CVE-2020-28901) – SAW
Fixed privilege escalation from nagios to root via upgrade_to_latest.sh (CVE-2020-28900) – SAW
Fixed privilege escalation from apache to root via upgrade_to_latest.sh and modification of proxy config (CVE-2020-28907) – SAW
Fixed privilege escalation from nagios to root via modification of fusion-sys.cfg (CVE-2020-28906) – SAW
Fixed privilege escalation from nagios to root via modification of scripts sudoers scripts (CVE-2020-28909) – SAW
Fixed privilege escalation from apache to nagios via command injection in cmd_subsys.php (CVE-2020-28908) – SAW
Fixed information disclosure – low-privilege user can discover passwords used to authenticate to fused servers (CVE-2020-28911) – SAW

Updated the supported OS systems for RHEL/CentOS 8, CentOS Stream, Ubuntu 20.04 LTS, and Debian 10 -JO

Fixed issue where TLS/SSL wasn’t showing in LDAP/AD Integration page for servers with encryption selected [TPS#14734] -JO
Fixed issue where Service Status dashlet would not show data unless users had access to host data [TPS#15420] -SAW