This article is a part of our Vulnerability Database (back to index)
Cross-site Scripting occurrences in Nagios Xi
Nagios XI before v5.8.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the ajax.php script in CCM 3.1.5. (2022-09-07, CVE-2022-38254)
Nagios XI before v5.8.7 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at auditlog.php. (2022-09-07, CVE-2022-38248)
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the MTR component in version 1.0.4. (2022-09-07, CVE-2022-38249)
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Performance Settings page under the Admin panel. (2022-09-07, CVE-2022-38251)
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Settings page under the Admin panel. (2022-09-07, CVE-2022-38247)
The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload. (2021-10-14, CVE-2021-33179)
In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard. (2021-09-15, CVE-2021-38156)
Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session cookies or it can be chained with the previous bugs to get one-click remote command execution (RCE) on the Nagios XI server. (2021-02-15, CVE-2021-25299)
Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field). (2020-11-16, CVE-2020-27991)
Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard). (2020-11-16, CVE-2020-27989)
Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field). (2020-11-16, CVE-2020-27988)
Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent). (2020-11-16, CVE-2020-27990)
Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option. (2020-07-22, CVE-2020-15902)
Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter. (2020-03-22, CVE-2020-10821)
Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter. (2020-03-22, CVE-2020-10820)
Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter. (2020-03-22, CVE-2020-10819)
In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user. (2019-12-30, CVE-2019-20139)
Nagios XI before 5.5.4 has XSS in the auto login admin management page. (2019-07-10, CVE-2018-17147)
A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page. (2019-06-19, CVE-2018-17146)
Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter. (2019-03-28, CVE-2019-9167)
Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job. (2019-03-28, CVE-2019-9164)
An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability. (2018-12-17, CVE-2018-20172)
An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability. (2018-12-17, CVE-2018-20171)
Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in admin/users.php. (2018-11-14, CVE-2018-15713)
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in api_tool.php. (2018-11-14, CVE-2018-15712)
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters. (2018-11-14, CVE-2018-15714)
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter. (2018-04-30, CVE-2018-10554)
Why Cross-site Scripting can be dangerous
Cross site scripting is an attack where a web page executes code that is injected by an adversary. It usually appears, when users input is presented. This attack can be used to impersonate a user, take over control of the session, or even steal API keys.
The attack can be executed e.g. when you application injects the request parameter directly into the HTML code of the page returned to the user:
https://server.com/confirmation?message=Transaction+Complete
what results in:
<span>Confirmation: Transaction Complete</span>
In that case the message can be modified to become a valid Javascript code, e.g.:
https://server.com/confirmation?message=<script>dangerous javascript code here</script>
and it will be executed locally by the user's browser with full access to the user's personal application/browser data:
<span>Confirmation: <script>dangerous javascript code here</script></span>