The Exploit

Notes from the Front Lines of Penetration Testing

Nagios XI Stored Cross-Site Scripting (XSS): CVE-2021-38156

Nagios XI Stored Cross-Site Scripting (XSS): CVE-2021-38156
Vulnerability Summary

Recently, I discovered a stored cross-site scripting (XSS) vulnerability in Nagios XI v5.8.5. The vulnerability exists in the dashboard page of Nagios XI (/dashboards/#) when administrative users attempt to edit a dashboard. The dashboard name is presented back to the user unencoded when the edit button is clicked, which can allow dashboard names with malicious JavaScript to be executed in the browser.

Proof of Concept and Exploitation Details

The vulnerability can be triggered by inserting html content that contains JavaScript into the name field of dashboards. The following payload was used to launch an alert box with the number 1 in it as a proof of concept:

“><script>alert(1)</script>

An example of this in the dashboard’s name field can be seen in the image below:

Stored XSS Payload

After clicking the edit button for the dashboard name, the dashboard’s name is loaded as unencoded HTML, as shown below:

Unescaped JavaScript Tags

After clicking the edit button for the dashboard name, the JavaScript from the script tag is executed as shown in the following image:

JavaScript Execution to Launch an Alert Box

Vulnerable Software Version

Raxis discovered this vulnerability on Nagios XI v5.8.5.

Remediating the Vulnerability

Upgrade Nagios XI to version 5.8.6 or later immediately.

Disclosure Timeline

  • August 5, 2021 – Vulnerability reported to Nagios
  • August 6, 2021 CVE-2021-38156 is assigned to this vulnerability
  • September 2, 2021 Nagios releases version 5.8.6 addressing this vulnerability

CVE Links and More

 


Raxis Administrator

Posted on

Categories: ,

Also by Raxis Administrator

Human Vs AI Pentesting

While AI tools offer speed in detecting known vulnerabilities, they fall short with 20-35% false positives and only 50-65% success on complex threats like business logic flaws, as per mainstream reports from Verizon and OWASP. Human penetration testers at Raxis deliver 85-90% detection rates, precise prioritization, and ethical adaptability, ensuring your organization stays ahead of real-world attacks.

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

Penetration Testing

Tailored, expert-led penetration testing services that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Ready to See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.