Cross-site scripting (XSS) vulnerability in Nagios allows remote attackers to inject arbitrary web script or HTML via specially-crafted 'layer' parameter passed to the Nagios network status map CGI script (statusmap.cgi). References: [1] http://tracker.nagios.org/view.php?id=207 [2] http://www.rul3z.de/advisories/SSCHADV2011-002.txt [3] http://secunia.com/advisories/43287/ Public PoC (from [2): ===================== http://site/nagios/cgi-bin/statusmap.cgi?layer=' onmouseover="alert('XSS')" '
This issue affects the version of the nagios package, as shipped with Red Hat HPC Solution. -- This issue affects the versions of the nagios package, as shipped with Fedora release of 13 and 14. This issue affects the versions of the nagios package, as present within EPEL-4, EPEL-5, and EPEL-6 repositories. Please schedule an update.
Created nagios tracking bugs for this issue Affects: epel-4 [bug 690878] Affects: epel-5 [bug 690879] Affects: epel-6 [bug 690880] Affects: fedora-all [bug 690881]
The CVE identifier of CVE-2011-1523 has been assigned to this issue (http://www.openwall.com/lists/oss-security/2011/03/28/4).
Upstream patch: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=1741
Statement: This issue affects the Red Hat HPC Solution which is End of Life. For more information please refer to: https://access.redhat.com/support/policy/updates/hpc/