CVE-2024-58272

Nagios Log Server versions prior to 2024R1 contain a stored cross-site scripting (XSS) vulnerabilitywhere an attacker-supplied username containing JavaScript is stored and later rendered without proper encoding/escaping in admin or user-facing pages. When an authenticated victim loads the affected page, the browser executes the injected script in the victim's context.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
VulnCheckCNA
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://www.nagios.com/changelog/#log-server-2024R1
https://www.nagios.com/products/security/#log-server
https://www.vulncheck.com/advisories/nagios-log-server-stored-xss-via-username