CVE-2024-13993

Published: Oct 30, 2025Modified: Nov 6, 2025

5.1

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: disclosure@vulncheck.com (Secondary)

Description

Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI origin. The issue is observable under legacy browser behaviors; modern browsers may mitigate some vectors.

Affected (5)

Products: Nagios: Nagios Xi

Nagios

1 product

Nagios Xi

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Nagios Nagios Xi	Before 2024
Nagios Nagios Xi	Version 2024 r1.0.1
Nagios Nagios Xi	Version 2024 r1.1.1
Nagios Nagios Xi	Version 2024 r1.1
Nagios Nagios Xi	Version 2024 r1

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://www.nagios.com/changelog/nagios-xi/

Source: disclosure@vulncheck.com

Release Notes

https://www.nagios.com/products/security/#nagios-xi

Source: disclosure@vulncheck.com

Vendor Advisory

https://www.vulncheck.com/advisories/nagios-xi-reflected-xss-via-login-page-on-older-browsers

Source: disclosure@vulncheck.com

Third Party Advisory

Timeline

No history available yet.