środa, 11 marca 2020

Nagios 5.6.11 XSS'd

Because today most of time I was in a train... most of time I spent on checking latest Nagios XI (5.6.11) VM. :) Below you will find few notes about it. Here we go...
Today we'll start here:
 
 

TL;DR:

Below you'll find few XSS bugs found for latest Nagios XI (5.6.11). All of them are available for admin user logged-in (so, those are postauth xss bugs). For example:


#01 - /ldap_ad_integration/: username parameter:




 

Response (src):

 

Presented in browser:


Little hint from the source code:



#02 - same link, param: password - similar story:


 

#03 - /account/main.php: theme:


Hope you'll find it usefull.

More cases (for CVE lovers;)) :
- 01
- 02
- 03

See you next time!

Cheers








Posted by at
Labels: , , , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)