Nagios XI Highcharts Export Tool Unauthenticated Cross-Site Scripting and Server-Side Request Forgery Vulnerability

A vulnerability allowing unauthenticated cross-site scripting (XSS) and server-side request forgery (SSRF) has been identified in Nagios XI versions prior to 5.6.11. This issue resides in the Highcharts local exporting tool, where exported content could be manipulated to inject scripts due to inadequate output encoding, creating an XSS risk. Additionally, the server could be tricked into fetching URLs specified by an attacker, potentially accessing internal resources, thereby exploiting the SSRF aspect of the vulnerability. When the exported content is viewed, the injected scripts would execute in the user's browser, while the SSRF component could be used to access sensitive information from the export server's internal network.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute scripts in the context of the user's browser. The server-side request forgery aspect enables an attacker to have the server make requests to internal resources, potentially leading to unauthorized access or disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, send a crafted export request through the Highcharts local exporting tool in Nagios XI. The request should exploit the insufficient output encoding to inject a script, which will execute when the exported content is viewed. Additionally, the request can be crafted to fetch an external URL that the Nagios XI server has access to, demonstrating the SSRF aspect by accessing internal resources.

Remediation

Users can upgrade to Nagios XI version 5.6.11 or later, where this vulnerability has been addressed.