Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that executes in the context of a victim's browser (XSS). Additionally, the component does not enforce sufficient anti-CSRF protections on state-changing operations, enabling an attacker to induce authenticated users to perform unwanted actions.
PUBLISHED5.2CWE-79CWE-352
Nagios XI < 5.11.3 XSS & CSRF via Hypermap Replay
Problem type
- CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
- CWE-352 Cross-Site Request Forgery (CSRF)
Affected products
Nagios
XI
< 5.11.3 - AFFECTED
References
nagios.com
https://www.nagios.com/products/security/#nagios-xi
nagios.com
https://www.nagios.com/changelog/nagios-xi/
vulncheck.com
https://www.vulncheck.com/advisories/nagios-xi-xss-and-csrf-via-hypermap-relay
JSON source
Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2023-53688",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2025-10-31T13:22:57.676Z",
"dateReserved": "2025-10-17T15:49:31.356Z",
"datePublished": "2025-10-30T21:47:42.470Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2025-10-30T21:47:42.470Z"
},
"title": "Nagios XI < 5.11.3 XSS & CSRF via Hypermap Replay",
"descriptions": [
{
"lang": "en",
"value": "Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that executes in the context of a victim's browser (XSS). Additionally, the component does not enforce sufficient anti-CSRF protections on state-changing operations, enabling an attacker to induce authenticated users to perform unwanted actions.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that executes in the context of a victim's browser (XSS). Additionally, the component does not enforce sufficient anti-CSRF protections on state-changing operations, enabling an attacker to induce authenticated users to perform unwanted actions.<br>"
}
]
}
],
"affected": [
{
"vendor": "Nagios",
"product": "XI",
"modules": [
"Hypermap Replay component"
],
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThan": "5.11.3"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"cweId": "CWE-352",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.nagios.com/products/security/#nagios-xi",
"tags": [
"vendor-advisory",
"patch"
]
},
{
"url": "https://www.nagios.com/changelog/nagios-xi/",
"tags": [
"release-notes",
"patch"
]
},
{
"url": "https://www.vulncheck.com/advisories/nagios-xi-xss-and-csrf-via-hypermap-relay",
"tags": [
"third-party-advisory"
]
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
},
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"solutions": [
{
"lang": "en",
"value": "Nagios addresses this vulnerability as \"The Hypermap Replay component is vulnerable to a cross-site scripting attack and cross-site request forgery\" and \"Fixed a CSRF and XSS vulnerability in the hypermap replay component.\"",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "<span style=\"background-color: rgb(255, 255, 255);\">Nagios addresses this vulnerability as \"The Hypermap Replay component is vulnerable to a cross-site scripting attack and cross-site request forgery\" and \"Fixed a CSRF and XSS vulnerability in the hypermap replay component.\"</span><br>"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Aleksey Solovev from Positive Technologies",
"type": "finder"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-10-31T13:22:57.676Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}