http://seclists.org/fulldisclosure/2016/Jun/20 4.3.0 - 2017-02-21 ------------------ SECURITY FIXES * Fix for CVE-2016-6209 - The "corewindow" parameter (as in http://localhost/nagios?corewindow=www.somewhere.com) has been disabled by default. See the UPGRADING document for how to enable it. (John Frickson)
*** This bug has been marked as a duplicate of bug 585914 ***