Nagios Enterprise XIWindow Reflected XSS

by Adam Baldwin


A reflected cross-site scripting vulnerability exists in Nagios Enterprise 2012R1.0 and below.

The xiwindow parameter ( is not properly encoded when displayed to the user.

A user must be authenticated for injection to take place

Example exploit payload;//

You can also replace the xiwindow parameter with any content you would like to frame within the nagios admin console (for example a fake config manager login page?)

We recieved no word back from Nagios on our report, however based on past experience it should be addressed in the next release.