CVE-2011-10038

Published: Oct 30, 2025Modified: Nov 6, 2025

5.1

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: disclosure@vulncheck.com (Secondary)

Description

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Affected (10)

Products: Nagios: Nagios Xi

Nagios

1 product

Nagios Xi

Configuration A

10 vulnerable

Vulnerable Software	Affected Versions
Nagios Nagios Xi	Up to 2009
Nagios Nagios Xi	Version 2011 r1.1
Nagios Nagios Xi	Version 2011 r1.2
Nagios Nagios Xi	Version 2011 r1.3
Nagios Nagios Xi	Version 2011 r1.4
Nagios Nagios Xi	Version 2011 r1.5
Nagios Nagios Xi	Version 2011 r1.6
Nagios Nagios Xi	Version 2011 r1.7
Nagios Nagios Xi	Version 2011 r1.8
Nagios Nagios Xi	Version 2011 r1

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://www.nagios.com/changelog/nagios-xi/

Source: disclosure@vulncheck.com

Release Notes

https://www.vulncheck.com/advisories/nagios-xi-xss-via-recurring-downtime-scripts

Source: disclosure@vulncheck.com

Third Party Advisory

Timeline

No history available yet.