CVE-2024-14000

Published: Oct 30, 2025Modified: Nov 6, 2025

5.1

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: disclosure@vulncheck.com (Secondary)

Description

Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Capacity Planning Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Affected (7)

Products: Nagios: Nagios Xi

Nagios

1 product

Nagios Xi

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Nagios Nagios Xi	Before 2024
Nagios Nagios Xi	Version 2024 r1.0.1
Nagios Nagios Xi	Version 2024 r1.0.2
Nagios Nagios Xi	Version 2024 r1.1.1
Nagios Nagios Xi	Version 2024 r1.1.2
Nagios Nagios Xi	Version 2024 r1.1
Nagios Nagios Xi	Version 2024 r1

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://www.nagios.com/changelog/nagios-xi/

Source: disclosure@vulncheck.com

Release Notes

https://www.nagios.com/products/security/#nagios-xi

Source: disclosure@vulncheck.com

Vendor Advisory

https://www.vulncheck.com/advisories/nagios-xi-xss-via-capacity-planning-report

Source: disclosure@vulncheck.com

Third Party Advisory

Timeline

No history available yet.