A reflected cross-site scripting vulnerability exists in Nagios Enterprise 2012R1.0 and below.
The xiwindow parameter (http://example.com/nagiosxi/admin/?xiwindow=) is not properly encoded when displayed to the user.
A user must be authenticated for injection to take place
Example exploit payload
You can also replace the xiwindow parameter with any content you would like to frame within the nagios admin console (for example a fake config manager login page?)
We recieved no word back from Nagios on our report, however based on past experience it should be addressed in the next release.