Bug 1728574 (CVE-2018-17146)

Summary: CVE-2018-17146 Nagios-XI: cross-site scripting via 'name' parameter in Account Information page
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: affix, athmanem, b.heden, herrold, jose.p.oliveira.oss, lemenkov, redhat, shawn.starr, sisharma, smooge, ssaha, s, swilkerson, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nagios 5.5.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-11 19:03:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1728575, 1728576    
Bug Blocks: 1728577    

Description Dhananjay Arunesh 2019-07-10 07:45:31 UTC 
A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page.

Reference:
https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT
Comment 1 Dhananjay Arunesh 2019-07-10 07:46:29 UTC 
Created nagios tracking bugs for this issue:

Affects: epel-all [bug 1728576]
Affects: fedora-all [bug 1728575]
Comment 2 Scott Wilkerson 2019-07-11 19:03:42 UTC 
This was for Nagios XI not nagios core.

Nagios XI is not distributed via epel, fedora or anything you have created all these bug for.
Comment 3 Hardik Vyas 2019-07-12 07:10:34 UTC 
Latest upstream release shipped for Nagios core is 4.4.3(and the flaw says fixed in 5.5.4 i.e for Nagios XI), XI[1] is a commercial thing with is not included in any Red Hat offerings.

Closing out fedora and epel trackers as NOTABUG.

[1] https://www.nagios.com/products/nagios-xi/
Comment 4 Hardik Vyas 2019-07-12 07:10:36 UTC 
Statement:

This issue did not affect Red Hat Gluster Storage 3 as it does not ship Nagios XI.