E18-5m001
CVSS:
6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
False Positive:
t
Variants:
9
Year:
2018
Description
An unauthenticated stored cross-site scripting vulnerability exists in Nagios XI web interface.
The vulnerability resides within 'api_tool.php' and can be exploited by crafting a GET request containing a malicious 'host' parameter.
The parameter's value is then stored in bpi.conf and is later included in the web management interface.
By exploiting this vulnerability an attacker could execute arbitrary scripts on the target browser.