CVE-2021-25299
published 2021-02-15CVE-2021-25299: Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to…
PriorityP357medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
96.86%
99.9th percentile
Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session cookies or it can be chained with the previous bugs to get one-click remote command execution (RCE) on the Nagios XI server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nagiosxi/admin/sshterm.php?"; startswith; fast_pattern; content:"url="; nocase; pcre:"/^.+(script|onerror|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.connectwise.com/resources/cve-spotlight-nagios-xi-cve-2021-25296-25297-25298-25299; reference:cve,2021-25299; classtype:web-application-attack; sid:2059094; rev:2; metadata:affected_product Nagios, attack_target Web_Server, tls_state plaintext, created_at 2025_01_09, cve CVE_2021_25299, deployment Perimeter, deployment Internal, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Look for GET requests to /nagiosxi/admin/sshterm.php with a 'url=' parameter containing JavaScript pseudo-protocol or event handler payloads (e.g., javascript:, onerror=, onload=, style=).
- →Exploitation requires an authenticated admin session; monitor for login to /nagiosxi/login.php followed immediately by a crafted GET to sshterm.php with a malicious url= parameter.
- →The attack can be chained with other Nagios XI bugs for one-click RCE; treat any XSS hit on sshterm.php as a high-severity event.
- →Use Shodan/FOFA queries to identify exposed Nagios XI instances: title:"Nagios XI" / http.title:"nagios xi" / title="nagios xi" / app="nagios-xi".
- ·The Snort/ET rule (sid:2059094) only covers plaintext HTTP traffic (tls_state: plaintext); HTTPS-wrapped exploitation will evade this rule without SSL inspection.
- ·Exploitation requires the victim to be an authenticated admin user who clicks a maliciously crafted URL; unauthenticated exploitation is not directly possible. ↗
- ·The Nuclei template extracts the nsp (nonce/session protection) token via regex from the login page body before submitting credentials; detection logic must account for this multi-step authentication flow (3 requests total).
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)
suricata·2025-01-09·CVSS 6.1
CVE-2021-25299 [MEDIUM] ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)
ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nagiosxi/admin/sshterm.php?"; startswith; fast_pattern; content:"url="; nocase; pcre:"/^.+(script|onerror|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.connectwise.com/resources/cve-spotlight-nagios-xi-cve-2021-25296-25297-25298-25299; reference:cve,2021-25299; classtype:web-application-attack; sid:2059094; rev:2; metadata:affected_product
Nuclei
Nagios XI 5.7.5 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-25299 [MEDIUM] Nagios XI 5.7.5 - Cross-Site Scripting
Nagios XI 5.7.5 - Cross-Site Scripting
Nagios XI 5.7.5 contains a cross-site scripting vulnerability in the file /usr/local/nagiosxi/html/admin/sshterm.php, due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal session cookies, or it can be chained with the previous bugs to get one-click remote command execution on the Nagios XI server.
Template:
id: CVE-2021-25299
info:
name: Nagios XI 5.7.5 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Nagios XI 5.7.5 contains a cross-site scripting vulnerability in the file /usr/local/nagiosxi/html/admin/sshterm.php, due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used t
http://nagios.comhttp://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttps://assets.nagios.com/downloads/nagiosxi/versions.phphttps://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.mdhttp://nagios.comhttp://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttps://assets.nagios.com/downloads/nagiosxi/versions.phphttps://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
2021-02-15
Published