Vulnerability Description
Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI origin. The issue is observable under legacy browser behaviors; modern browsers may mitigate some vectors.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nagios | Nagios Xi | < 2024 |
Related Weaknesses (CWE)
References
- https://www.nagios.com/changelog/nagios-xi/Release Notes
- https://www.nagios.com/products/security/#nagios-xiVendor Advisory
- https://www.vulncheck.com/advisories/nagios-xi-reflected-xss-via-login-page-on-oThird Party Advisory
FAQ
What is CVE-2024-13993?
CVE-2024-13993 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-...
How severe is CVE-2024-13993?
CVE-2024-13993 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-13993?
Check the references section above for vendor advisories and patch information. Affected products include: Nagios Nagios Xi.