Stefan Schurtz has discovered a vulnerability in Nagios, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the "layer" parameter to cgi-bin/statusmap.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is confirmed in version 3.2.3. Other versions may also be affected. http://secunia.com/advisories/43287/
Looks like the upstream bug may be at http://tracker.nagios.org/view.php?id=207.
CVE-2011-1523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1523): Cross-site scripting (XSS) vulnerability in statusmap.c in statusmap.cgi in Nagios 3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the layer parameter.
Should be fixed in 3.3.1
(In reply to comment #3) > Should be fixed in 3.3.1 I believe so; from the 3.3.1 changelog: * Fixed XSS vulnerability in config.cgi and statusmap.cgi (Stefan Schurtz) We'll work in bug 371302 for stabilization.
Thanks, folks. Stabilization completed; closing noglsa for XSS.