On testing the popular log monitoring and management application, Nagios Log Server version 2.1.6 (latest at the time of testing), we found that it is vulnerable to Stored XSS attacks.
CVE ID: CVE-2020-16157
Nagios Log Server is a popular Centralized Log Management, Monitoring, and Analysis software that allows organizations to view, sort, and configure logs. Version 2.1.6 of the application was found to be vulnerable to Stored XSS.
Stored Cross Site Scripting attacks involves an attacker injecting a script (referred to as the payload) that is permanently stored (persisted) on the target application (for instance within a database). A classic example is a malicious script inserted by an attacker in a comment field on a blog or in a forum post.
The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit. Rather, the attacker places their exploit into the application itself and simply waits for the victim to encounter it.
The Full Name or Username in the /profile page or /admin/users/create page is vulnerable to Stored XSS. Once a payload is saved in one of these fields, navigate to the Alerting page (/alerts) and create a new alert and select Email Users as the Notification Method. As the user list is shown, it can be seen that the payload gets executed, as shown below.
- Vulnerability reported to the Nagios team on July 08, 2020
- Nagios Log Server 2.1.7 containing the fix to the vulnerability released on July 28, 2020
It is highly recommended to update the application to the latest version.