Nagios XI Core Config Manager Cross-Site Scripting Vulnerability
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in the Core Config Manager (CCM) of Nagios XI, affecting versions prior to 5.8.8 and CCM versions prior to 3.1.6. The vulnerability arises from insufficient validation or escaping of user-supplied input in the search and deletion interfaces, allowing an attacker to inject and execute arbitrary scripts in the context of the victim's browser.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.
Reproduction
To reproduce this vulnerability, navigate to the Core Config Manager (CCM) in an affected version of Nagios XI. Use the search or deletion interfaces to input data. The lack of proper validation or escaping will allow for the injection of scripts, which can be executed when the input is processed by the application.
Remediation
Users can upgrade to Nagios XI version 5.8.8 or later, or to CCM version 3.1.6 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.