Nagios IM 2.6 remote code execution exploit: CSRF + SQLi + RCE + LPE --> remote root
By chaining a Cross-Site Request Forgery (CSRF) / authorization bypass (CVE-2019-9203) it is possible to exploit a Union-based SQL injection (CVE-2019-9204), a Remote Code Execution (RCE) (CVE-2019-9202) and a Local Privilege Escalation (LPE) (CVE-2019-9166), obtaining root privileges on a remote Nagios XI server.
The victim must be authenticated in Nagios XI, afaik lowest privileges are enough.