CVE-2012-10063

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

N

agios XI versions prior to 2012R1.3 contain a SQL injection vulnerability in the legacy Core Configuration Manager (CCM) interface. Authenticated users could manipulate SQL queries by supplying crafted input to specific CCM parameters, potentially allowing access to configuration data stored in the application database. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly.

References

Link	Resource
https://www.nagios.com/changelog/nagios-xi/	Release Notes
https://www.vulncheck.com/advisories/nagios-xi-authenticated-sqli-in-legacy-ccm	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nagios:nagios_xi::::::::
	cpe:2.3:a:nagios:nagios_xi:2012:r1.0::::::
	cpe:2.3:a:nagios:nagios_xi:2012:r1.1::::::
	cpe:2.3:a:nagios:nagios_xi:2012:r1.2::::::

History

06 Nov 2025, 15:09

Type	Values Removed	Values Added
First Time		Nagios Nagios nagios Xi
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:nagios:nagios_xi:2012:r1.0:::::: cpe:2.3:a:nagios:nagios_xi:2012:r1.2:::::: cpe:2.3:a:nagios:nagios_xi:2012:r1.1:::::: cpe:2.3:a:nagios:nagios_xi::::::::
References	~~() https://www.nagios.com/changelog/nagios-xi/ -~~	() https://www.nagios.com/changelog/nagios-xi/ - Release Notes
References	~~() https://www.vulncheck.com/advisories/nagios-xi-authenticated-sqli-in-legacy-ccm -~~	() https://www.vulncheck.com/advisories/nagios-xi-authenticated-sqli-in-legacy-ccm - Third Party Advisory

30 Oct 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-30 22:15

Updated : 2025-11-06 15:09

NVD link : CVE-2012-10063

Mitre link : CVE-2012-10063

CVE.ORG link : CVE-2012-10063

JSON object : View

Products Affected

nagios_xi

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2012-10063", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-10-30T22:15:35.913", "references": [{"url": "https://www.nagios.com/changelog/nagios-xi/", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/nagios-xi-authenticated-sqli-in-legacy-ccm", "tags": ["Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Nagios XI versions prior to\u00a02012R1.3 contain\u00a0a SQL injection vulnerability in the legacy Core Configuration Manager (CCM) interface. Authenticated users could manipulate SQL queries by supplying crafted input to specific CCM parameters, potentially allowing access to configuration data stored in the application database.\u00a0Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly."}], "lastModified": "2025-11-06T15:09:58.743", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80293C30-1993-40B8-9495-6D0D9AA3E921", "versionEndIncluding": "2011"}, {"criteria": "cpe:2.3:a:nagios:nagios_xi:2012:r1.0:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "63DC3A03-8CB1-489F-86D2-13F271C2C48D"}, {"criteria": "cpe:2.3:a:nagios:nagios_xi:2012:r1.1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "653ED130-C4EC-4EC1-AE81-99BA7F888B33"}, {"criteria": "cpe:2.3:a:nagios:nagios_xi:2012:r1.2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B28B0CDB-0E18-4702-B498-C89431095C0D"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}