A cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.
“[Nagios XI] Provides monitoring of all mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. Hundreds of third-party addons provide for monitoring of virtually all in-house applications, services, and systems”. For more information visit https://www.nagios.com/products/nagios-xi/.
The Nagios XI page
about/index.php (and others) allows to define which page to display in an
iframe element through the
xiwindow HTTP parameter:
An unauthenticated attacker might be able to gain access to the victim’s Nagios XI session by making them visit a malicious URL which triggers the XSS vulnerability.
Upgrade to Nagios XI 5.5.11 or later. (Note: we didn’t verify the patch.)
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.it/advisories/nagiosxi-xiwindow-xss/
10 April 2019