A cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.
“[Nagios XI] Provides monitoring of all mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. Hundreds of third-party addons provide for monitoring of virtually all in-house applications, services, and systems”. For more information visit https://www.nagios.com/products/nagios-xi/.
The Nagios XI page about/index.php
(and others) allows to define which page to display in an iframe
element through the xiwindow
HTTP parameter:
|
|
It is possible to execute arbitrary JavaScript code through a malicious xiwindow
.
http://nagiosxi.local/nagiosxi/about/index.php?xiwindow=a:javascript:alert(document.cookie)//
An unauthenticated attacker might be able to gain access to the victim’s Nagios XI session by making them visit a malicious URL which triggers the XSS vulnerability.
Upgrade to Nagios XI 5.5.11 or later. (Note: we didn’t verify the patch.)
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.com/it/advisories/nagiosxi-xiwindow-xss/
Data
10 aprile 2019