Home

Description

Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local exporting tool. Crafted export requests could (1) inject script into exported/returned content due to insufficient output encoding (XSS), and (2) cause the server to fetch attacker-specified URLs (SSRF), potentially accessing internal network resources. An unauthenticated remote attacker can leverage these issues to execute script in a user's browser when the exported content is viewed and to disclose sensitive information reachable from the export server via SSRF.

PUBLISHED Reserved 2025-10-30 | Published 2025-10-30 | Updated 2025-10-31 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status
unaffected

Any version before 5.6.11
affected

References

www.nagios.com/changelog/nagios-xi/ release-notes patch

www.vulncheck.com/...thenticated-xss-and-ssrf-via-highcharts third-party-advisory

cve.org (CVE-2020-36862)

nvd.nist.gov (CVE-2020-36862)

Download JSON