Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-36866

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-30 Oct, 2025 | 21:53
Updated At-17 Nov, 2025 | 18:21
Rejected At-
Credits

Nagios XI < 5.7.3 XSS via Manage Users in Admin Interface

Nagios XI versions prior to 5.7.3 are vulnerable to cross-site scripting (XSS) via the Manage Users page of the Admin interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:30 Oct, 2025 | 21:53
Updated At:17 Nov, 2025 | 18:21
Rejected At:
▼CVE Numbering Authority (CNA)
Nagios XI < 5.7.3 XSS via Manage Users in Admin Interface

Nagios XI versions prior to 5.7.3 are vulnerable to cross-site scripting (XSS) via the Manage Users page of the Admin interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Affected Products
Vendor
Nagios Enterprises, LLCNagios
Product
XI
Modules
  • Web UI – Admin → Manage Users (user list/detail renderers)
Default Status
unaffected
Versions
Affected
  • From 0 before 5.7.3 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-63CAPEC-63 Cross-Site Scripting (XSS)
CAPEC ID: CAPEC-63
Description: CAPEC-63 Cross-Site Scripting (XSS)
Solutions

Nagios addresses this vulnerability as "Fixed XSS security vulnerability in Admin -> Manage Users."

Configurations
Workarounds
Exploits
Credits
finder
Christian Weiler
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.nagios.com/changelog/nagios-xi/
release-notes
patch
https://www.vulncheck.com/advisories/nagios-xi-xss-via-manage-users-in-admin-interface
third-party-advisory
Hyperlink: https://www.nagios.com/changelog/nagios-xi/
Resource:
release-notes
patch
Hyperlink: https://www.vulncheck.com/advisories/nagios-xi-xss-via-manage-users-in-admin-interface
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:30 Oct, 2025 | 22:15
Updated At:06 Nov, 2025 | 20:15

Nagios XI versions prior to 5.7.3 are vulnerable to cross-site scripting (XSS) via the Manage Users page of the Admin interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CPE Matches
Nagios Enterprises, LLC
nagios
>>nagios_xi>>Versions before 5.7.2(exclusive)
cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarydisclosure@vulncheck.com
CWE ID: CWE-79
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.nagios.com/changelog/nagios-xi/disclosure@vulncheck.com
Release Notes
https://www.vulncheck.com/advisories/nagios-xi-xss-via-manage-users-in-admin-interfacedisclosure@vulncheck.com
Third Party Advisory
Hyperlink: https://www.nagios.com/changelog/nagios-xi/
Source: disclosure@vulncheck.com
Resource:
Release Notes
Hyperlink: https://www.vulncheck.com/advisories/nagios-xi-xss-via-manage-users-in-admin-interface
Source: disclosure@vulncheck.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

9941Records found
CVE-2021-47697
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.50% / 65.64%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 21:57
Updated-17 Nov, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios XI < 5.8.0 XSS via Views URL Handling

Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via the Views feature URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiXI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-47696
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.50% / 65.64%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 21:49
Updated-17 Nov, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios XI < 5.8.0 XSS via BPI Config ID Handling

Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via BPI config ID handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiXI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-47690
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.50% / 65.64%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 21:35
Updated-17 Nov, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios XI < 5.8.2 Core Config Manager (CCM) XSS via Overlay Modals

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.1 / Nagios XI 5.8.2 contains multiple cross-site scripting (XSS) vulnerabilities in Overlay modals. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiXI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-47689
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.50% / 65.64%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 21:36
Updated-17 Nov, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios XI < 5.8.0 Core Config Manager (CCM) XSS via Templates Pages

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.0 / Nagios XI 5.8.0 contais a cross-site scripting (XSS) vulnerability in the Templates pages, specifically in the UI logic that renders and handles the Active/Actions buttons. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiXI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-47691
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.50% / 65.64%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 21:36
Updated-17 Nov, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios XI < 5.8.2 Core Config Manager (CCM) XSS via Services Page

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.1 / Nagios XI 5.8.2 contains multiple cross-site scripting (XSS) vulnerabilities via the Services page affecting the config_name and service_description fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiXI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-47698
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.50% / 65.64%
||
7 Day CHG~0.00%
Published-03 Nov, 2025 | 21:56
Updated-17 Nov, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios XI < 5.8.7 XSS in Core UI Views URL handling

Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling (escape_string()). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiXI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-47699
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.50% / 65.64%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 21:48
Updated-17 Nov, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios XI < 5.8.7 XSS in Audit Log via Send to NLS Form

Nagios XI versions prior to 5.8.7 are vulnerable to cross-site scripting (XSS) via the Audit Log page’s Send to NLS form. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiXI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-36862
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-6.9||MEDIUM
EPSS-0.08% / 23.70%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 21:46
Updated-17 Nov, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios XI < 5.6.11 Unauthenticated XSS and SSRF via Highcharts

Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local exporting tool. Crafted export requests could (1) inject script into exported/returned content due to insufficient output encoding (XSS), and (2) cause the server to fetch attacker-specified URLs (SSRF), potentially accessing internal network resources. An unauthenticated remote attacker can leverage these issues to execute script in a user's browser when the exported content is viewed and to disclose sensitive information reachable from the export server via SSRF.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiXI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-4285
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-6.25% / 90.71%
||
7 Day CHG~0.00%
Published-27 Dec, 2022 | 10:18
Updated-17 May, 2024 | 02:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios NCPA tail.html cross site scripting

A vulnerability classified as problematic was found in Nagios NCPA. This vulnerability affects unknown code of the file agent/listener/templates/tail.html. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 2.4.0 is able to address this issue. The name of the patch is 5abbcd7aa26e0fc815e6b2b0ffe1c15ef3e8fab5. It is recommended to upgrade the affected component. VDB-216874 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_cross_platform_agentNCPA
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-43584
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.34% / 56.20%
||
7 Day CHG~0.00%
Published-24 Jan, 2024 | 00:00
Updated-16 Jun, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DOM-based Cross Site Scripting (XSS vulnerability in 'Tail Event Logs' functionality in Nagios Nagios Cross-Platform Agent (NCPA) before 2.4.0 allows attackers to run arbitrary code via the name element when filtering for a log.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_cross_platform_agentn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-28903
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-25.79% / 96.13%
||
7 Day CHG~0.00%
Published-24 May, 2021 | 12:43
Updated-04 Aug, 2024 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper input validation in Nagios Fusion 4.1.8 and earlier allows a remote attacker with control over a fused server to inject arbitrary HTML, aka XSS.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-fusionn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-25385
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-36.89% / 97.05%
||
7 Day CHG~0.00%
Published-20 Jan, 2021 | 00:45
Updated-04 Aug, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios Log Server 2.1.7 contains a cross-site scripting (XSS) vulnerability in /nagioslogserver/configure/create_snapshot through the snapshot_name parameter, which may impact users who open a maliciously crafted link or third-party web page.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-log_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-23992
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.86% / 74.66%
||
7 Day CHG~0.00%
Published-22 Aug, 2023 | 00:00
Updated-03 Oct, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) in Nagios XI 5.7.1 allows remote attackers to run arbitrary code via returnUrl parameter in a crafted GET request.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-2179
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-31.47% / 96.67%
||
7 Day CHG~0.00%
Published-14 Jun, 2011 | 17:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action.

Action-Not Available
Vendor-icingan/aNagios Enterprises, LLC
Product-nagiosicingan/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-1523
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.67% / 70.93%
||
7 Day CHG~0.00%
Published-03 May, 2011 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in statusmap.c in statusmap.cgi in Nagios 3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the layer parameter.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagiosn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15902
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-42.82% / 97.39%
||
7 Day CHG~0.00%
Published-22 Jul, 2020 | 21:28
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33179
Matching Score-6
Assigner-Black Duck Software, Inc.
ShareView Details
Matching Score-6
Assigner-Black Duck Software, Inc.
CVSS Score-6.1||MEDIUM
EPSS-57.68% / 98.11%
||
7 Day CHG~0.00%
Published-14 Oct, 2021 | 14:57
Updated-03 Aug, 2024 | 23:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiNagios XI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-3618
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-2.83% / 85.90%
||
7 Day CHG~0.00%
Published-06 Feb, 2018 | 16:00
Updated-06 Aug, 2024 | 05:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Nagios Business Process Intelligence (BPI) before 2.3.4 allows remote attackers to inject arbitrary web script or HTML via vectors involving index.php.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-business_process_intelligencen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-10820
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-4.49% / 88.88%
||
7 Day CHG~0.00%
Published-22 Mar, 2020 | 19:53
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-10821
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-24.17% / 95.95%
||
7 Day CHG~0.00%
Published-22 Mar, 2020 | 19:53
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-10819
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-24.17% / 95.95%
||
7 Day CHG~0.00%
Published-22 Mar, 2020 | 19:53
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-9164
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-65.33% / 98.44%
||
7 Day CHG~0.00%
Published-28 Mar, 2019 | 16:43
Updated-04 Aug, 2024 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-9167
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-13.99% / 94.18%
||
7 Day CHG~0.00%
Published-28 Mar, 2019 | 19:14
Updated-04 Aug, 2024 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-54959
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-3.80% / 87.83%
||
7 Day CHG~0.00%
Published-20 Feb, 2025 | 00:00
Updated-01 Jul, 2025 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI 2024R1.2.2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack through the Favorites component, enabling POST-based Cross-Site Scripting (XSS).

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-28924
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-66.18% / 98.48%
||
7 Day CHG~0.00%
Published-08 Apr, 2021 | 12:57
Updated-03 Aug, 2024 | 21:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Self Authenticated XSS in Nagios Network Analyzer before 2.4.2 via the nagiosna/groups/queries page.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-network_analyzern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26023
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-37.99% / 97.11%
||
7 Day CHG~0.00%
Published-03 Feb, 2021 | 21:25
Updated-03 Aug, 2024 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to XSS.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xifavoritesn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-6209
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.59% / 68.71%
||
7 Day CHG~0.00%
Published-31 Mar, 2017 | 15:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Nagios.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagiosn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25299
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-79.74% / 99.06%
||
7 Day CHG-0.19%
Published-15 Feb, 2021 | 12:32
Updated-03 Aug, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session cookies or it can be chained with the previous bugs to get one-click remote command execution (RCE) on the Nagios XI server.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2007-5803
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.48% / 64.59%
||
7 Day CHG~0.00%
Published-13 May, 2008 | 23:00
Updated-07 Aug, 2024 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in Nagios before 2.12 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-5624 and CVE-2008-1360.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagiosn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-1360
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 53.25%
||
7 Day CHG~0.00%
Published-17 Mar, 2008 | 17:00
Updated-07 Aug, 2024 | 08:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Nagios before 2.11 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts, a different issue than CVE-2007-5624.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagiosn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13993
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.75% / 72.69%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 21:43
Updated-17 Nov, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios XI < 2024R1.1.2 Reflected XSS via Login Page on Older Browsers

Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI origin. The issue is observable under legacy browser behaviors; modern browsers may mitigate some vectors.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiXI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-15898
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-3.83% / 87.90%
||
7 Day CHG~0.00%
Published-03 Sep, 2019 | 21:39
Updated-05 Aug, 2024 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios Log Server before 2.0.8 allows Reflected XSS via the username on the Login page.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-log_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-56432
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.38% / 58.64%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 00:00
Updated-09 Sep, 2025 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-48082
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.1||CRITICAL
EPSS-1.15% / 78.12%
||
7 Day CHG~0.00%
Published-14 Oct, 2024 | 00:00
Updated-10 Jul, 2025 | 17:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/axi
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-38247
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-34.27% / 96.88%
||
7 Day CHG~0.00%
Published-07 Sep, 2022 | 21:14
Updated-03 Aug, 2024 | 10:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Settings page under the Admin panel.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-38249
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-33.52% / 96.82%
||
7 Day CHG~0.00%
Published-07 Sep, 2022 | 21:14
Updated-03 Aug, 2024 | 10:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the MTR component in version 1.0.4.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-38248
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-33.52% / 96.82%
||
7 Day CHG~0.00%
Published-07 Sep, 2022 | 21:14
Updated-03 Aug, 2024 | 10:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI before v5.8.7 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at auditlog.php.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-38251
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-36.10% / 97.00%
||
7 Day CHG~0.00%
Published-07 Sep, 2022 | 21:14
Updated-03 Aug, 2024 | 10:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Performance Settings page under the Admin panel.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20171
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-3.83% / 87.90%
||
7 Day CHG~0.00%
Published-17 Dec, 2018 | 15:00
Updated-05 Aug, 2024 | 11:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20172
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-3.83% / 87.90%
||
7 Day CHG~0.00%
Published-17 Dec, 2018 | 15:00
Updated-05 Aug, 2024 | 11:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-38254
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-33.52% / 96.82%
||
7 Day CHG~0.00%
Published-07 Sep, 2022 | 21:14
Updated-03 Aug, 2024 | 10:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI before v5.8.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the ajax.php script in CCM 3.1.5.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-18245
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-5.31% / 89.82%
||
7 Day CHG~0.00%
Published-17 Dec, 2018 | 15:00
Updated-05 Aug, 2024 | 11:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios Core 4.4.2 has XSS via the alert summary reports of plugin results, as demonstrated by a SCRIPT element delivered by a modified check_load plugin to NRPE.

Action-Not Available
Vendor-n/aDebian GNU/LinuxNagios Enterprises, LLC
Product-nagios_coredebian_linuxn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-17146
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-3.03% / 86.36%
||
7 Day CHG~0.00%
Published-19 Jun, 2019 | 17:25
Updated-05 Aug, 2024 | 10:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-15712
Matching Score-6
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-6
Assigner-Tenable Network Security, Inc.
CVSS Score-6.1||MEDIUM
EPSS-26.77% / 96.23%
||
7 Day CHG~0.00%
Published-14 Nov, 2018 | 18:00
Updated-16 Sep, 2024 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in api_tool.php.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiNagios XI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-15713
Matching Score-6
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-6
Assigner-Tenable Network Security, Inc.
CVSS Score-5.4||MEDIUM
EPSS-3.71% / 87.70%
||
7 Day CHG~0.00%
Published-14 Nov, 2018 | 18:00
Updated-17 Sep, 2024 | 01:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in admin/users.php.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiNagios XI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-7312
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-6.2||MEDIUM
EPSS-0.48% / 64.51%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 21:19
Updated-17 Nov, 2025 | 21:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios Fusion < 4.2.0 Email Settings Stored XSS via SMTP/sendmail

Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability when adding or configuring Email Settings. Unsanitized user input can be stored and later rendered in the administrative UI, causing JavaScript to execute in the browser of any user who views the affected page. An attacker who can add or modify SMTP/email settings or manipulate the sendmail configuration fields could persist a malicious payload that executes in the context of other users' browsers.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-fusionFusion
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-12501
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-3.26% / 86.87%
||
7 Day CHG~0.00%
Published-16 Jun, 2018 | 13:00
Updated-17 Sep, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios Fusion before 4.1.4 has XSS, aka TPS#13332-13335.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-fusionn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-29269
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-5.09% / 89.61%
||
7 Day CHG~0.00%
Published-29 Jun, 2022 | 00:58
Updated-03 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Nagios XI through 5.8.5, in the schedule report function, an authenticated attacker is able to inject HTML tags that lead to the reformatting/editing of emails from an official email address.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-17147
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-3.20% / 86.72%
||
7 Day CHG~0.00%
Published-10 Jul, 2019 | 13:59
Updated-05 Aug, 2024 | 10:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI before 5.5.4 has XSS in the auto login admin management page.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-15714
Matching Score-6
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-6
Assigner-Tenable Network Security, Inc.
CVSS Score-6.1||MEDIUM
EPSS-21.37% / 95.57%
||
7 Day CHG~0.00%
Published-14 Nov, 2018 | 18:00
Updated-16 Sep, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-nagios_xiNagios XI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 198
  • 199
  • Next
Details not found