CVE-2024-14000
📋 TL;DR
Nagios XI versions before 2024R1.1.3 contain a cross-site scripting vulnerability in the Capacity Planning Report component. Attackers can inject malicious scripts that execute in victims' browsers when viewing manipulated reports. This affects all Nagios XI administrators and users who access the vulnerable component.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full system compromise if combined with other vulnerabilities.
Likely Case
Session hijacking, credential theft, or defacement of the Nagios interface through script injection in victim browsers.
If Mitigated
Limited to script execution in isolated browser contexts with proper content security policies and session management.
🎯 Exploit Status
Requires authenticated access to inject malicious payloads into the Capacity Planning Report, then victims must view the manipulated report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024R1.1.3 or later
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: No
Instructions:
1. Backup current Nagios XI configuration. 2. Download latest version from Nagios customer portal. 3. Run the upgrade script following Nagios documentation. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Disable Capacity Planning Report
allTemporarily disable the vulnerable component until patching is possible
Navigate to Admin > System Extensions > Manage Components, disable Capacity Planning
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Restrict access to Nagios XI interface to trusted networks only using firewall rules
- Implement web application firewall rules to block XSS payload patterns in Capacity Planning Report parameters
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version via Admin > System Extensions > About page or run: cat /usr/local/nagiosxi/var/xiversionCheck Version:
cat /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
Verify version is 2024R1.1.3 or later and test Capacity Planning Report with basic XSS payloads like <script>alert('test')</script>📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to capacity planning endpoints with script tags or JavaScript code
- Multiple failed authentication attempts followed by successful login and report access
Network Indicators:
- HTTP requests containing script injection patterns to /nagiosxi/reports/capacityplanning.php
SIEM Query:
source="nagios_access.log" AND (uri="/nagiosxi/reports/capacityplanning.php" AND (method="POST" OR method="GET") AND (content="<script" OR content="javascript:"))