CVE-2020-13977
https://notcve.org/view.php?id=CVE-2020-13977
Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been mistakenly associated with CVE-2020-1408. Nagios versión 4.4.5, permite a un atacante, que presenta acceso administrativo, cambiar el ajuste de configuración "URL for JSON CGI", para modificar el código de Alert Histogram y Trends por medio de las versiones diseñadas de los archivos archivejson.cgi, objectjson.cgi y statusjson.cgi. NOTA: esta vulnerabilidad ha sido erróneamente asociada con CVE-2020-1408 • https://anhtai.me/nagios-core-4-4-5-url-injection https://github.com/sawolf/nagioscore/tree/url-injection-fix https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P6NHNG2SJAM6DXVTXQH3AOJ4WQVKJUE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H7T6MSDWMBJEVVFSOK7DOYJJWDAFQCEQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUEIABR4Y6L5J5MZDFWU46ZWXMJO64U3 https://www.nagios.org/projects/nagios-core/history/ • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •