An Authorization Bypass vulnerability in Nagios Incident Manager (component of Nagios XI) before 2.2.7 allows authenticated users to bypass the authentication checks via a void token.
“Resolve network incidents, collaborate with team members, and track incident history”. For more information visit https://www.nagios.com/products/nagios-incident-manager/.
The Nagios XI API
/nagiosxi/includes/components/nagiosim/nagiosim.php allows interaction with Nagios IM through the file
At  the token is read from the HTTP request, at  the registered API key is read from the database and at  they are checked to be equal. However this doesn’t take in account that by default there’s no
api_key registered so it’s possible to pass the check via a void token.
An authenticated attacker can update arbitrary network incidents without the proper authorization.
[host]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=&incident_id=1337using the logged-in session
incident_idis invalid, but authorization was valid.
An authenticated attacker can bypass the authorization checks and perform arbitrary actions on any network incident.
Upgrade to Nagios IM 2.2.7 or later. (Note: we didn’t verify the patch.)
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.it/it/advisories/nagiosim-void-token-authorization-bypass/
10 April 2019