CVE-2023-7312
MEDIUMNagios Fusion < 4.2.0 - Stored Cross-Site Scripting in Email Settings
Title source: llmDescription
Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability when adding or configuring Email Settings. Unsanitized user input can be stored and later rendered in the administrative UI, causing JavaScript to execute in the browser of any user who views the affected page. An attacker who can add or modify SMTP/email settings or manipulate the sendmail configuration fields could persist a malicious payload that executes in the context of other users' browsers.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
patch
https://www.nagios.com/products/security/#fusion
Product release-notes
patch
https://www.nagios.com/changelog/nagios-fusion/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/nagios-fusion-email-settings-stored-xss-via-smtp-sendmail
Scores
CVSS v3
4.8
EPSS
0.0036
EPSS Percentile
58.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
nagios/fusion
< 4.2.0
Published
Oct 30, 2025
Tracked Since
Feb 18, 2026