Nagios XI Stored Cross-Site Scripting (XSS): CVE-2021-38156

The Exploit Blog

Penetration Testing Blog

Nagios XI Stored Cross-Site Scripting (XSS): CVE-2021-38156
Published on September 17, 2021
Written by Raxis Research Team
Vulnerability Summary

Recently, I discovered a stored cross-site scripting (XSS) vulnerability in Nagios XI v5.8.5. The vulnerability exists in the dashboard page of Nagios XI (/dashboards/#) when administrative users attempt to edit a dashboard. The dashboard name is presented back to the user unencoded when the edit button is clicked, which can allow dashboard names with malicious JavaScript to be executed in the browser.

Proof of Concept and Exploitation Details

The vulnerability can be triggered by inserting html content that contains JavaScript into the name field of dashboards. The following payload was used to launch an alert box with the number 1 in it as a proof of concept:

“><script>alert(1)</script>

An example of this in the dashboard’s name field can be seen in the image below:

Stored XSS Payload

After clicking the edit button for the dashboard name, the dashboard’s name is loaded as unencoded HTML, as shown below:

Unescaped JavaScript Tags

After clicking the edit button for the dashboard name, the JavaScript from the script tag is executed as shown in the following image:

JavaScript Execution to Launch an Alert Box

Vulnerable Software Version

Raxis discovered this vulnerability on Nagios XI v5.8.5.

Remediating the Vulnerability

Upgrade Nagios XI to version 5.8.6 or later immediately.

Disclosure Timeline

  • August 5, 2021 – Vulnerability reported to Nagios
  • August 6, 2021 CVE-2021-38156 is assigned to this vulnerability
  • September 2, 2021 Nagios releases version 5.8.6 addressing this vulnerability

CVE Links and More

 

Raxis Research Team

Raxis Research Team
The Raxis Research Team is dedicated to staying ahead of the threat landscape. Our experts dig into emerging exploits, uncover hidden vulnerabilities, and develop resources that power our penetration testing engagements. By combining curiosity with technical precision, the team equips Raxis testers with cutting-edge intelligence to simulate real-world attacks and strengthen client defenses.

About The Exploit

The Exploit is written by Raxis penetration testers. Every post is a technical writeup from someone who runs engagements for a living, with code, command output, and the reasoning behind each step. Topics include exploit research, vulnerability disclosure, tool development, and the offensive techniques showing up in current client work.

Search The Exploit Blog

Raxis Discovered Vulnerabilities

View the CVEs and bugs that Raxis pentesters have uncovered and submitted.

Work With the Pentesters Who Wrote This Blog

The engineers behind these posts run real engagements every week. Put them on your network, web apps, APIs, or cloud and see what an attacker would find first.

Request A Quote Schedule Call

Blog Categories

Join Our Newsletter

Name(Required)
Newsletter(Required)
Do you wish to join our newsletter? We send out emails once a month that cover the latest in cybersecurity news. We do not sell your information to other parties.