search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

NagiosQL 3.2 Service Pack 2 contains a reflected cross-site scripting vulnerability

Vulnerability Note VU#268662

Original Release Date: 2013-12-05 | Last Revised: 2014-07-24

Overview

NagiosQL 3.2 Service Pack 2 and possibly earlier versions contain a reflected cross-site scripting vulnerability (CWE-79).

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NagiosQL 3.2 Service Pack 2 and possibly earlier versions contain a reflected cross-site scripting vulnerability. An attacker can inject arbitrary HTML content (including script) via the vulnerable txtSearch parameter.

Impact

A remote unauthenticated attacker can conduct a cross-site scripting attack, which may be used to result in information leakage, privilege escalation, and/or denial of service.

Solution

Apply an Update

NagiosQL has advised users to apply a security hotfix to address this vulnerability.

Vendor Information

268662
 
Expand all

NagiosQL Affected

Notified:  November 11, 2013 Updated: December 02, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 0.8 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to William Costa for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-6039
Date Public: 2013-12-03
Date First Published: 2013-12-05
Date Last Updated: 2014-07-24 22:58 UTC
Document Revision: 19

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis