ChangeLog

+1.9.29
+Security:
+  * FIX: Fix possible deletion of arbitrary files (CVE-2021-33178)
+  An authenticated user with enough permissions to access the NagVis
+  ManageBackgrounds endpoint, such as admin, can delete arbitrary files on the
+  server limited by the rights of the Apache system user. In OMD environments,
+  such as Checkmk, this is limited to files owned by the site user. In other
+  environments this may affect all files that are writable by the web server
+  user.
+
 1.9.28
 Frontend
   * Add support for svg image based icon sets (#298 Thanks to itsul)

debian/changelog

+nagvis (1:1.9.29-1) unstable; urgency=high
+
+  * Team upload.
+  * New upstream release.
+    - Fixes CVE-2021-33178.
+
+ -- Bas Couwenberg <sebastic@debian.org>  Sat, 11 Dec 2021 17:28:26 +0100
+
 nagvis (1:1.9.28-1) unstable; urgency=medium
 
   * Team upload.

share/server/core/classes/ViewManageBackgrounds.php

@@ -92,7 +92,7 @@ class ViewManageBackgrounds {
                 if (!$name)
                     throw new FieldInputError('name', l('Please choose a background'));
 
-                if (count($CORE->getAvailableBackgroundImages('/^'.preg_quote($name).'$/')) == 0)
+                if (!in_array($name, $CORE->getAvailableBackgroundImages()))
                     throw new FieldInputError('name', l('The background does not exist.'));
 
                 // Check whether or not the backgroun is in use

share/server/core/defines/global.php

@@ -23,7 +23,7 @@
  *****************************************************************************/
  
 // NagVis Version
-define('CONST_VERSION', '1.9.28');
+define('CONST_VERSION', '1.9.29');
 
 // Set PHP error handling to standard level
 // Different levels for php versions below 5.1 because PHP 5.1 reports