CVE-2018-10554

Name of the Vulnerable Software and Affected Versions: Nagios XI version 5.4.13

Description: An issue was discovered in Nagios XI, allowing for XSS exploitation via CSRF. This can occur through various means, including the Schedule New Report screen via the hour, minute, or ampm parameter, the update pages function in downtime.php, the opts or background parameter in ajaxhelper.php, the i[] array parameter to ajax handler.php, or the title parameter in deploynotification.php.

Recommendations: For Nagios XI version 5.4.13, consider disabling the Schedule New Report screen and restricting access to the downtime.php, ajaxhelper.php, ajax handler.php, and deploynotification.php files until a patch is available. Avoid using the hour, minute, ampm, opts, background, i[], and title parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.