← Back
2025-10-30 21:51CVE-2023-7318VulnCheck
PUBLISHED5.2CWE-79

Nagios XI < 2024R1.0.2 XSS via Core Command Expansion

Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Problem type

Affected products

Nagios

XI

< 2024R1.0.2 - AFFECTED

References

nagios.com

https://www.nagios.com/products/security/#nagios-xi

vendor-advisorypatch
nagios.com

https://www.nagios.com/changelog/nagios-xi/2024r1-0-2/

release-notespatch
vulncheck.com

https://www.vulncheck.com/advisories/nagios-xi-xss-via-core-command-expansion

third-party-advisory

JSON source

Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2023-7318",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2025-10-31T13:54:53.359Z",
    "dateReserved": "2025-10-22T15:26:40.940Z",
    "datePublished": "2025-10-30T21:51:25.049Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2025-10-30T21:51:25.049Z"
      },
      "title": "Nagios XI < 2024R1.0.2 XSS via Core Command Expansion",
      "descriptions": [
        {
          "lang": "en",
          "value": "Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "Nagios XI versions prior to &lt; 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser."
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Nagios",
          "product": "XI",
          "modules": [
            "Core Command Expansion page"
          ],
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "custom",
              "lessThan": "2024R1.0.2"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.nagios.com/products/security/#nagios-xi",
          "tags": [
            "vendor-advisory",
            "patch"
          ]
        },
        {
          "url": "https://www.nagios.com/changelog/nagios-xi/2024r1-0-2/",
          "tags": [
            "release-notes",
            "patch"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/nagios-xi-xss-via-core-command-expansion",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Nagios addresses this vulnerability as \"Nagios XI is vulnerable to a Cross-site scripting attack when utilizing the Nagios Core Command Expansion page\" (said to be fixed in 2024R1 on \"Security Disclosures\" site) and \"Fixed XSS in Nagios Core command expansion page\" (denoted in the 2024R1.0.2 section of the changelog).",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<span style=\"background-color: rgb(255, 255, 255);\">Nagios addresses this vulnerability as \"</span><span style=\"background-color: rgb(255, 255, 255);\">Nagios XI is vulnerable to a Cross-site scripting attack when utilizing the Nagios Core Command Expansion page</span><span style=\"background-color: rgb(255, 255, 255);\">\" (said to be fixed in 2024R1 on \"Security Disclosures\" site) and \"</span><span style=\"background-color: rgb(255, 255, 255);\">Fixed XSS in Nagios Core command expansion page</span><span style=\"background-color: rgb(255, 255, 255);\">\" (denoted in the </span><span style=\"background-color: rgb(255, 255, 255);\">2024R1.0.2 section of the changelog).</span><br>"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Joran LEREEC",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-10-31T13:54:53.359Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}

Mitre source

https://cveawg.mitre.org/api/cve/CVE-2023-7318