CVE-2023-40932

Name of the Vulnerable Software and Affected Versions Nagios XI versions 5.11.1 and below

Description A Cross-site scripting (XSS) vulnerability in the Custom Logo component allows authenticated attackers to inject arbitrary javascript or HTML via the alt-text field. This affects all pages containing the navbar, including the login page, enabling the attacker to steal plaintext credentials. The vulnerability can be exploited by remote attackers.

Recommendations For Nagios XI versions 5.11.1 and below, consider disabling the Custom Logo component until a patch is available to prevent exploitation. Restrict access to the alt-text field in the Custom Logo component to minimize the risk of XSS attacks. As a temporary workaround, avoid using the Custom Logo component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.