Bug 459248 - nagios cross-site scripting in statusmap.cgi
nagios cross-site scripting in statusmap.cgi
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=redhat,public=20090519,reporte...
: Security
Depends On: 459249
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-15 08:11 EDT by Marc Schoenefeld
Modified: 2016-03-04 07:24 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-04 15:44:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marc Schoenefeld 2008-08-15 08:11:40 EDT
Description of problem:

The statusmap.cgi has a cross-site scripting when generating 
the html tags to control the status image. 


How reproducible:

/nagios/cgi-bin/statusmap.cgi?host=a&max_width=1000&layer=%27%20onload=alert(document.cookie)%20%27%20223424embedded
ยด
Comment 2 OCS Support 2008-09-22 13:52:13 EDT
Fix provided in 'nagios-2.12-1.1.src.rpm' sent to Nils
Comment 3 Kurt Seifried 2015-02-04 15:40:05 EST
Asked for a CVE on oss-sec. Making this public.

Note You need to log in before you can comment on or make changes to this bug.