Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action.
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
| Link | Tags |
|---|---|
| http://archives.neohapsis.com/archives/bugtraq/2011-06/0018.html | patch mailing list exploit |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/67797 | vdb entry |
| http://securityreason.com/securityalert/8274 | third party advisory |
| http://www.securityfocus.com/bid/48087 | vdb entry |
| https://bugzilla.redhat.com/show_bug.cgi?id=709871 | |
| http://tracker.nagios.org/view.php?id=224 | patch vendor advisory exploit |
| http://www.openwall.com/lists/oss-security/2011/06/01/10 | mailing list |
| http://www.rul3z.de/advisories/SSCHADV2011-006.txt | patch exploit |
| http://www.openwall.com/lists/oss-security/2011/06/02/6 | mailing list |
| https://dev.icinga.org/issues/1605 | patch vendor advisory exploit |
| http://secunia.com/advisories/44974 | third party advisory |
| http://www.rul3z.de/advisories/SSCHADV2011-005.txt | patch exploit |
| http://www.ubuntu.com/usn/USN-1151-1 | vendor advisory |
| http://archives.neohapsis.com/archives/bugtraq/2011-06/0017.html | mailing list |