CVE-2022-50585 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2022-50585?

CVE-2022-50585 has a CVSS score of 5.4 (MEDIUM). This cross-site scripting (XSS) vulnerability in Nagios XI's Core Config Manager allows attackers to inject malicious scripts into the Audit Log page search input. When exploited, these scripts execute in victims' browsers, potentially stealing session cookies or performing actions as the victim. Organizations running Nagios XI versions before CCM 3.1.7 / Nagios XI 5.8.9 are affected.

📋 TL;DR

This cross-site scripting (XSS) vulnerability in Nagios XI's Core Config Manager allows attackers to inject malicious scripts into the Audit Log page search input. When exploited, these scripts execute in victims' browsers, potentially stealing session cookies or performing actions as the victim. Organizations running Nagios XI versions before CCM 3.1.7 / Nagios XI 5.8.9 are affected.

💻 Affected Systems

Products:

Nagios XI
Nagios Core Config Manager (CCM)

Versions: Nagios XI versions prior to 5.8.9, CCM versions prior to 3.1.7

Operating Systems: All supported Nagios XI platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All Nagios XI installations with CCM component are vulnerable in default configuration. The vulnerability requires user interaction (victim must visit a crafted Audit Log page).

📦 What is this software?

Nagios Xi by Nagios

View all CVEs affecting Nagios Xi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals administrator session cookies, gains full administrative access to Nagios XI, and potentially compromises the entire monitoring infrastructure or uses it as a pivot point to attack other systems.

🟠

Likely Case

Attacker steals user session cookies to gain unauthorized access to Nagios XI, potentially modifying monitoring configurations or accessing sensitive system information.

🟢

If Mitigated

Script execution is blocked by browser security features or web application firewalls, limiting impact to minor UI disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the attacker to trick an authenticated user into visiting a specially crafted Audit Log page URL. The vulnerability is in the search input field on the Audit Log page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Nagios XI 5.8.9 or CCM 3.1.7

Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/

Restart Required: No

Instructions:

1. Log into Nagios XI as administrator. 2. Navigate to Admin > Updates. 3. Click 'Check for Updates'. 4. If update to 5.8.9+ is available, click 'Update'. 5. Follow on-screen instructions to complete the update.

🔧 Temporary Workarounds

Input Validation via WAF

all

Configure web application firewall to filter or block malicious script patterns in search parameters

Content Security Policy

all

Implement strict CSP headers to prevent inline script execution

🧯 If You Can't Patch

Restrict access to Nagios XI Audit Log page to trusted users only
Implement network segmentation to isolate Nagios XI from critical systems

🔍 How to Verify

Check if Vulnerable:

Check Nagios XI version via Admin > Updates page or run: grep 'nagios_version' /usr/local/nagiosxi/var/xiversion

Check Version:

grep 'nagios_version' /usr/local/nagiosxi/var/xiversion

Verify Fix Applied:

Verify version is 5.8.9 or higher, or CCM version is 3.1.7 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual search patterns in Nagios XI audit logs containing script tags or JavaScript
Multiple failed login attempts followed by Audit Log access

Network Indicators:

HTTP requests to Audit Log page with encoded script payloads in search parameters

SIEM Query:

source="nagios_xi" AND (url="*auditlog*" AND (search="*<script*" OR search="*javascript:*" OR search="*onerror=*"))

📊 Metadata

CVE ID: CVE-2022-50585

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.5% exploit probability (65.6th percentile)

Published: October 30, 2025

Last Updated: November 6, 2025

🔗 References

https://www.nagios.com/changelog/nagios-xi/ Release Notes
https://www.vulncheck.com/advisories/nagios-xi-ccm-xss-via-audit-log-page-search-input Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50585, you might also want to check these: