Volerion logoVolerion
Volerion logoVolerion

Nagios XI Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in Nagios XI version 2024R1.1.4. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the 'Name' parameter on the Account Settings page. The injected scripts are automatically executed when the affected page is accessed, potentially compromising other users' accounts.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed automatically for users who access the affected page.

Reproduction

To reproduce this vulnerability, navigate to the 'Account Settings' page in Nagios XI 2024R1.1.4. Inject a script payload into the 'Name' (alias) field, such as a script tag containing JavaScript code, such as an alert. Save the changes, and then visit the 'Host Status Detail', 'Host Group Summary', or 'Host Group Overview' pages to observe the execution of the injected script.

Remediation

Users are advised to upgrade to Nagios XI version 2024R1.1.5 or above.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
5.0
impact
1.7
exploitability
6.3
remediation
7.7
relevance
0.0
threat
6.5
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.