Login Sign Up

CVE-2024-13992

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

Nagios XI versions before 2024R1.1 contain a reflected cross-site scripting (XSS) vulnerability in the 404 error page. An attacker can craft malicious links that execute arbitrary JavaScript in victims' browsers when they visit the Nagios XI missing page. This affects all Nagios XI administrators and users who might click on crafted links.

💻 Affected Systems

Products:
  • Nagios XI
Versions: All versions prior to 2024R1.1
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. The vulnerability is in the core page-missing.php component.

📦 What is this software?

Nagios Xi by Nagios

View all CVEs affecting Nagios Xi →

Nagios Xi by Nagios

View all CVEs affecting Nagios Xi →

Nagios Xi by Nagios

View all CVEs affecting Nagios Xi →

Nagios Xi by Nagios

View all CVEs affecting Nagios Xi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could steal session cookies, perform actions as the victim user (including administrative actions), or redirect to phishing pages within the Nagios XI context.

🟠

Likely Case

Session hijacking leading to unauthorized access to monitoring data, configuration changes, or privilege escalation within Nagios XI.

🟢

If Mitigated

Limited impact with proper session management, CSP headers, and user awareness about suspicious links.

🌐 Internet-Facing: MEDIUM - Requires user interaction (clicking malicious link) but internet-facing instances are more exposed to crafted links.
🏢 Internal Only: LOW - Still requires user interaction but attack surface is limited to internal users who might receive malicious links.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction (victim must click malicious link) and knowledge of Nagios XI URL structure. No authentication bypass needed for the XSS itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024R1.1

Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/2024r1-1/

Restart Required: No

Instructions:

1. Backup current Nagios XI installation. 2. Download Nagios XI 2024R1.1 from Nagios customer portal. 3. Follow upgrade instructions in documentation. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Add input validation to page-missing.php to sanitize URL parameters before displaying them.

Modify /usr/local/nagiosxi/html/includes/page-missing.php to properly escape user input using htmlspecialchars() or similar functions

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Educate users about not clicking suspicious links to Nagios XI

🔍 How to Verify

Check if Vulnerable:

Check Nagios XI version via Admin > System Config > About. If version is earlier than 2024R1.1, system is vulnerable.

Check Version:

cat /usr/local/nagiosxi/var/xiversion

Verify Fix Applied:

After upgrade, verify version shows 2024R1.1 or later. Test by attempting to inject script tags via missing page URL parameters.

📡 Detection & Monitoring

Log Indicators:

  • Unusual 404 requests with script tags or JavaScript in URL parameters
  • Multiple failed page requests from single IP with suspicious parameters

Network Indicators:

  • HTTP requests to /nagiosxi/includes/page-missing.php with encoded script payloads in query strings

SIEM Query:

source="nagios_access.log" AND uri="/includes/page-missing.php" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-13992
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.74% exploit probability (72.5th percentile)
Published: October 31, 2025
Last Updated: November 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13992, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)