Home

Description

Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that executes in the context of a victim's browser (XSS). Additionally, the component does not enforce sufficient anti-CSRF protections on state-changing operations, enabling an attacker to induce authenticated users to perform unwanted actions.

PUBLISHED Reserved 2025-10-17 | Published 2025-10-30 | Updated 2025-10-31 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

CWE-352 Cross-Site Request Forgery (CSRF)

Product status

Default status
unaffected

Any version before 5.11.3
affected

Credits

Aleksey Solovev from Positive Technologies finder

References

www.nagios.com/products/security/ vendor-advisory patch

www.nagios.com/changelog/nagios-xi/ release-notes patch

www.vulncheck.com/...gios-xi-xss-and-csrf-via-hypermap-relay third-party-advisory

cve.org (CVE-2023-53688)

nvd.nist.gov (CVE-2023-53688)

Download JSON