CVE-2023-38350 in PNP4Nagiosinfo

Summary

by MITRE • 07/15/2023

PNP4Nagios through 81ebfc5 has stored XSS in the AJAX controller via the basket API and filters. This affects 0.6.26.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 01/19/2026

The vulnerability identified as CVE-2023-38350 represents a stored cross-site scripting flaw within PNP4Nagios version 0.6.26 and earlier releases. This security weakness resides in the application's AJAX controller component, specifically within the basket API and filter functionality. The vulnerability allows attackers to inject malicious JavaScript code that persists in the application's database and executes whenever affected pages are loaded. The stored nature of this XSS vulnerability means that the malicious payload remains active even after the initial injection, making it particularly dangerous for long-term exploitation. This flaw impacts the integrity and confidentiality of the monitoring environment by potentially enabling unauthorized access to sensitive system information and user data. The vulnerability affects the core functionality of PNP4Nagios, which is widely used for performance monitoring and graphing in network infrastructure environments.

The technical implementation of this vulnerability stems from inadequate input validation and output sanitization within the basket API and filter components of the AJAX controller. When users submit data through these interfaces, the application fails to properly sanitize or encode user-supplied input before storing it in the database. This allows malicious actors to inject HTML and JavaScript code that gets executed in the context of other users' browsers when they access the affected monitoring dashboards. The vulnerability specifically targets the basket functionality, which is used to organize and display performance data, making it a critical component for attackers seeking to compromise the monitoring system. The flaw demonstrates poor security practices in web application development, particularly regarding the handling of user-controllable data in persistent storage mechanisms. This issue aligns with CWE-79, which categorizes cross-site scripting vulnerabilities as weaknesses in input validation and output encoding.

The operational impact of this stored XSS vulnerability extends beyond simple data theft or session hijacking. Attackers could leverage this vulnerability to execute arbitrary code within the context of the victim's browser, potentially leading to complete system compromise. The monitoring environment serves as a critical infrastructure component where such vulnerabilities can provide attackers with insights into network performance metrics, system configurations, and potentially sensitive operational data. The persistence of the stored payload means that once exploited, the vulnerability continues to affect users until the malicious code is removed from the database. This makes the vulnerability particularly dangerous in enterprise environments where PNP4Nagios is used for critical infrastructure monitoring. The attack surface is broad since the vulnerability affects the core dashboard functionality, making it accessible to various user roles within the monitoring system.

Security mitigations for this vulnerability should focus on immediate input validation and output encoding improvements. Organizations should implement comprehensive sanitization of all user inputs before storage, particularly within the basket API and filter components. The implementation of Content Security Policy headers can provide additional protection against malicious script execution. Regular security updates and patches should be applied immediately upon availability, as this vulnerability affects a specific version range. Network segmentation and access controls should be reviewed to limit the potential impact of exploitation. Security awareness training for administrators should emphasize the importance of monitoring and maintaining secure configurations. The vulnerability demonstrates the critical importance of secure coding practices, particularly around input validation and output encoding, which aligns with ATT&CK technique T1566.001 for credential access through social engineering and T1059.007 for command and scripting interpreter. Organizations should also implement regular security assessments and penetration testing to identify similar vulnerabilities in other monitoring and management systems.

Reservation

07/15/2023

Disclosure

07/15/2023

Moderation

accepted

CPE

ready

EPSS

0.00449

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!