CVE-2021-47699
📋 TL;DR
Nagios XI versions before 5.8.7 contain a cross-site scripting vulnerability in the Audit Log page's Send to NLS form. Attackers can inject malicious scripts that execute in victims' browsers when they view the compromised page. This affects all Nagios XI administrators and users who access the Audit Log functionality.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as the victim, or redirect users to malicious sites, potentially leading to full system compromise if combined with other vulnerabilities.
Likely Case
Attackers steal session cookies or credentials from authenticated users, gaining unauthorized access to the Nagios XI interface with the victim's privileges.
If Mitigated
With proper input validation and output encoding, the script injection would be neutralized, preventing any client-side execution.
🎯 Exploit Status
Exploitation requires authenticated access to the Nagios XI interface and victim interaction with the compromised Audit Log page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8.7
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: No
Instructions:
1. Backup your Nagios XI configuration. 2. Download Nagios XI 5.8.7 or later from the Nagios website. 3. Follow the official upgrade instructions at https://assets.nagios.com/downloads/nagiosxi/docs/Upgrading-Nagios-XI.pdf. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Disable Send to NLS functionality
allTemporarily disable the vulnerable Send to NLS form feature in the Audit Log page
Implement WAF rules
allConfigure web application firewall to block XSS payloads targeting the Audit Log endpoints
🧯 If You Can't Patch
- Restrict access to the Nagios XI interface to trusted networks only
- Implement Content Security Policy headers to mitigate script execution
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version via Admin > System Config > About page. If version is below 5.8.7, the system is vulnerable.Check Version:
grep 'nagiosxi_version' /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
After upgrading, verify version is 5.8.7 or higher and test the Audit Log Send to NLS form with basic XSS payloads like <script>alert('test')</script> to ensure proper sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /nagiosxi/admin/auditlog.php with script tags or JavaScript in parameters
- Multiple failed login attempts followed by successful login and Audit Log access
Network Indicators:
- HTTP requests containing <script> tags or JavaScript functions sent to Nagios XI Audit Log endpoints
SIEM Query:
source="nagios_access.log" AND (uri_path="/nagiosxi/admin/auditlog.php" AND (http_method="POST" AND (content="<script>" OR content="javascript:")))