5.8.6
- September 2, 2021
Security
- Updated NagVis component to version 2.0.9 to fix security issue (thanks Scott Tolley from Synopsys Cybersecurity Research Center (CyRC)) -JO
- Fixed command injection security issue during installation of components, wizards, and dashlets in cmdsubsys -JO
- (thanks Guillaume André of Synacktiv (https://synacktiv.com)) (CVE-2021-40345)
- Fixed security issue in backend API auth where it was not properly authing the insecure login ticket -JO
- Fixed security vulnerability with file permissions for the migrate nagios_unbundler.py script -JO
- (thanks Guillaume André of Synacktiv (https://synacktiv.com)) (CVE-2021-40343)
- Fixed SQL injection in the Manage MIBs admin page and Bulk Modifications page -JO
- Fixed XSS security vulnerability in Manage My Dashboards page edit dashboard title attribute (thanks Matthew Dunn) (CVE-2021-38156) -JO
- Fixed SSRF vulnerability in Scheduled Report URL when scheduled pages URL is outside the Nagios XI system
- (thanks Ben Leonard-Lagarde (Modux)) (CVE-2021-37223) (TPS#15594) -PhW,JO
Updated
- Updated Bulk Modifications Tool UI to use actual option names, and mirror UI from normal config page -PhW
Added
- Added Stalking Notification and None options to Single Config Option for Bulk Modifications Tool [TPS#15597] -PhW
Fixed
- Fixed issue with special characters in Top Alert Producers, State History, and Notifications reports [TPS#15599] -JO
- Fixed built in DEV tools, so you can log values and monitor them through the web UI. -PhW
- Fixed styling issue on the Check for Updates page when in Modern Dark theme -JO
- Fixed issue in which deleting a host having an escalation caused an invalid config. -PhW
Component Updates
Core Config Manager (CCM) 3.1.4
- Fixed reflective XSS in the test command due to double encoded html entities -JO
- (thanks Amit Raut of Trend Micro Security Research working with Trend Micro Zero Day Initiative)