Proof of Concept and Exploitation Details
An example of this in the dashboard’s name field can be seen in the image below:
After clicking the edit button for the dashboard name, the dashboard’s name is loaded as unencoded HTML, as shown below:
Vulnerable Software Version
Raxis discovered this vulnerability on Nagios XI v5.8.5.
Remediating the Vulnerability
Upgrade Nagios XI to version 5.8.6 or later immediately.
- August 5, 2021 – Vulnerability reported to Nagios
- August 6, 2021 – CVE-2021-38156 is assigned to this vulnerability
- September 2, 2021 – Nagios releases version 5.8.6 addressing this vulnerability
CVE Links and More
- Mitre CVE – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38156
- NVD – https://nvd.nist.gov/vuln/detail/CVE-2021-38156