Vulnerability Description
Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied input, allowing an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI domain.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nagios | Nagios Xi | < 2024 |
Related Weaknesses (CWE)
References
- https://www.nagios.com/changelog/nagios-xi/2024r1-1/Release Notes
- https://www.nagios.com/products/security/#nagios-xiVendor Advisory
- https://www.vulncheck.com/advisories/nagios-xi-xss-via-missing-pageThird Party Advisory
FAQ
What is CVE-2024-13992?
CVE-2024-13992 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable compon...
How severe is CVE-2024-13992?
CVE-2024-13992 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-13992?
Check the references section above for vendor advisories and patch information. Affected products include: Nagios Nagios Xi.