CVE-2013-10071

Published: Oct 30, 2025Modified: Nov 6, 2025

5.1

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: disclosure@vulncheck.com (Secondary)

Description

Nagios XI versions prior to 2012R1.6 contain a reflected cross-site scripting (XSS) vulnerability in the dashboard dashlet AJAX load functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Affected (7)

Products: Nagios: Nagios Xi

Nagios

1 product

Nagios Xi

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Nagios Nagios Xi	Up to 2011
Nagios Nagios Xi	Version 2012 r1.0
Nagios Nagios Xi	Version 2012 r1.1
Nagios Nagios Xi	Version 2012 r1.2
Nagios Nagios Xi	Version 2012 r1.3
Nagios Nagios Xi	Version 2012 r1.4
Nagios Nagios Xi	Version 2012 r1.5

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://www.nagios.com/changelog/nagios-xi/

Source: disclosure@vulncheck.com

Release Notes

https://www.vulncheck.com/advisories/nagios-xi-reflected-xss-via-dashlet-ajax-load-functionality

Source: disclosure@vulncheck.com

Third Party Advisory

Timeline

No history available yet.