CVE-2019-20139

MEDIUM

Nagios XI 5.6.9 - Authenticated Cross-Site Scripting via nocscreenapi.php or schedulereport.php Parameters

Title source: llm
STIX 2.1

Description

In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user.

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://code610.blogspot.com/2019/12/multiple-xss-bugs-in-nagios-569.html

Scores

CVSS v3 5.4
EPSS 0.0631
EPSS Percentile 91.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
nagios/nagios_xi 5.6.9
Published Dec 30, 2019
Tracked Since Feb 18, 2026