Nagios XI Core Config Manager Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in the Core Config Manager (CCM) of Nagios XI, specifically in versions prior to 5.8.2. The vulnerability arises from insufficient validation and escaping of user input in the 'Services' page, particularly within the 'config_name' and 'service_description' fields. This flaw could allow an attacker to inject and execute arbitrary scripts in the context of the victim's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, navigate to the 'Services' page within the Core Config Manager of Nagios XI versions prior to 5.8.2. Input a script into the 'config_name' or 'service_description' fields. The lack of proper validation will allow the script to be executed in the browser.

Remediation

Users can upgrade to Nagios XI version 5.8.2 or later, or to Nagios XI version 2024R1.4 or 2024R2.2.1, both of which include the necessary fix.