CVE-2020-6586

Name of the Vulnerable Software and Affected Versions Nagios Log Server version 2.1.3

Description The issue allows for cross-site scripting (XSS) attacks by exploiting a crafted name field on the /profile page, which is then mishandled on the /admin/users page. This enables any malicious user with limited access to store an XSS payload in their name field. When an administrator views this information, the XSS payload is triggered.

Recommendations For Nagios Log Server version 2.1.3, consider restricting access to the /admin/users page until a fix is available, and avoid using the name field on the /profile page to store potentially malicious input. As a temporary workaround, consider validating and sanitizing user input in the name field to prevent the storage of XSS payloads.