oss-sec mailing list archives
CVE Request -- Nagios -- XSS in the network status map CGI script
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 25 Mar 2011 18:06:33 +0100
Hello Steve, vendors, Cross-site scripting (XSS) vulnerability in Nagios allows remote attackers to inject arbitrary web script or HTML via specially-crafted 'layer' parameter passed to the Nagios network status map CGI script (statusmap.cgi). References: [1] http://tracker.nagios.org/view.php?id=207 [2] http://www.rul3z.de/advisories/SSCHADV2011-002.txt [3] http://secunia.com/advisories/43287/ [4] https://bugzilla.redhat.com/show_bug.cgi?id=690877 Public PoC (from [2): ===================== http://site/nagios/cgi-bin/statusmap.cgi?layer=' onmouseover="alert('XSS')" ' This doesn't seem to have a CVE id yet, so could you allocate one? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- Nagios -- XSS in the network status map CGI script Jan Lieskovsky (Mar 25)
- Re: CVE Request -- Nagios -- XSS in the network status map CGI script Steven M. Christey (Mar 28)