Nagios XI Core Config Manager Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in the Core Config Manager (CCM) of Nagios XI, affecting versions prior to CCM 3.0.7 and Nagios XI 5.7.4. The vulnerability arises from insufficient validation or escaping of user-supplied input in the object edit pages, allowing attackers to inject and execute arbitrary scripts in the context of the victim's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, navigate to the object edit pages within the Core Config Manager of an affected Nagios XI version. The lack of proper input validation will allow for the injection of scripts that can be executed in the browser.

Remediation

Users can upgrade to Nagios XI 5.7.4 or later, or to Nagios XI version 2024R1.4 or 2024R2.2.1, both of which include the necessary fix.