Nagios XI Core Config Manager Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Core Config Manager (CCM) of Nagios XI, specifically in versions prior to Nagios XI 5.8.0 and CCM 3.1.0. The vulnerability resides in the Templates pages, within the user interface logic that manages the Active/Actions buttons. This issue arises from inadequate validation or escaping of user-provided input, which could enable an attacker to inject and execute arbitrary scripts in the context of the affected user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, navigate to the Templates pages within the Core Config Manager of Nagios XI versions prior to 5.8.0. Interact with the Active/Actions buttons, which will trigger the vulnerability by executing any injected scripts.

Remediation

Users can upgrade to Nagios XI 5.8.0 or later, or to Core Config Manager version 3.1.0 or later, where this vulnerability has been addressed.