Nagios XI Core Config Manager Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Core Config Manager (CCM) of Nagios XI, specifically in versions prior to CCM 3.1.4 and Nagios XI 5.8.6. The vulnerability arises from insufficient validation or escaping of user-supplied input in the Test Command functionality, allowing an attacker to inject and execute arbitrary scripts in the context of the victim's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, navigate to the Core Config Manager in an affected version of Nagios XI. Use the Test Command feature to send a command that includes a script injection. The lack of proper input validation will allow the script to execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to Nagios XI 5.8.6 or later, or to CCM version 3.1.4 or later, to address this vulnerability.