cbcvebase.
CVE-2021-38156
published 2021-09-15

CVE-2021-38156: In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.

PriorityP350medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
88.94%
99.8th percentile
In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi< 5.8.65.8.6

Detection & IOCsextracted from sources · hover to see the quote

url/nagiosxi/dashboards/manage.php
url/dashboards/#
commandalert(document.domain)&background=&transparent=0&submitButton=Submit&nsp={{nsp_auth}}
  • Detect XSS exploitation attempt by matching the string 'data-title="">alert(document.domain)' in the HTTP response body of /nagiosxi/dashboards/manage.php
  • The attack targets the dashboard edit functionality in Nagios XI; monitor POST requests to /nagiosxi/dashboards/manage.php containing XSS payloads in the title or background parameters alongside the nsp token
  • ·Exploitation requires the attacker to be authenticated as an administrative user; the attack is stored/reflected XSS triggered when an admin edits a dashboard. The NSP anti-CSRF token must be harvested from the page prior to submission.
  • ·The vulnerability is fixed in Nagios XI 5.8.6 and later; detection rules should be scoped to versions prior to 5.8.6.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.