CVE-2023-53690
MEDIUMNagios Fusion < 4.2.0 - Stored Cross-Site Scripting in LDAP/AD Authentication-Server Configuration
Title source: llmDescription
Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability in the LDAP/AD authentication-server configuration. Unsanitized user input can be stored and later rendered in the administrative UI, causing JavaScript to execute in the browser of any user who views the affected page. An attacker who can add authentication servers via LDAP/AD integration could persist a malicious payload that executes in the context of other users' browsers.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
patch
https://www.nagios.com/products/security/#fusion
Release Notes release-notes
patch
https://www.nagios.com/changelog/nagios-fusion/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/nagios-fusion-ldap-ad-integration-stored-xss
Scores
CVSS v3
4.8
EPSS
0.0091
EPSS Percentile
76.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
nagios/fusion
< 4.2.0
Published
Oct 30, 2025
Tracked Since
Feb 18, 2026