CVE-2024-14006

MEDIUM

Nagios XI < 2024 - Origin Validation Error

Title source: rule

Description

Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The application trusts the user-supplied HTTP Host header when constructing absolute URLs without sufficient validation. An unauthenticated, remote attacker can supply a crafted Host header to poison generated links or responses, which may facilitate phishing of credentials, account recovery link hijacking, and web cache poisoning.

References (3)

Scores

CVSS v3 6.1
EPSS 0.0018
EPSS Percentile 39.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE
CWE-346
Status published

Affected Products (12)

nagios/nagios_xi < 2024
nagios/nagios_xi
nagios/nagios_xi
nagios/nagios_xi
nagios/nagios_xi
nagios/nagios_xi
nagios/nagios_xi
nagios/nagios_xi
nagios/nagios_xi
nagios/nagios_xi
nagios/nagios_xi
nagios/nagios_xi

Timeline

Published Oct 30, 2025
Tracked Since Feb 18, 2026