Nagios XI Reflected Cross-Site Scripting Vulnerability via Login Page

A reflected cross-site scripting vulnerability has been identified in Nagios XI versions prior to 2024R1.1.2. This issue arises on the login page when accessed with older web browsers. The vulnerability is due to insufficient validation or escaping of user-supplied input, which is reflected by the login page. An attacker can craft a malicious link that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser within the context of the Nagios XI site. While this issue is prominent in legacy browsers, modern browsers may mitigate some of the attack vectors.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, access the Nagios XI login page using an older web browser that does not have modern security features. Once on the login page, inject a script through a crafted link that exploits the lack of input validation. This can be done by manipulating the URL to include JavaScript code, which will be executed when the link is followed.

Remediation

Users can upgrade to Nagios XI version 2024R1.1.2 or later to address this vulnerability.