{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-7318","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2025-10-22T15:26:40.940Z","datePublished":"2025-10-30T21:51:25.049Z","dateUpdated":"2025-11-17T18:21:46.618Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["Core Command Expansion page"],"product":"XI","vendor":"Nagios","versions":[{"lessThan":"2024R1.0.2","status":"affected","version":"0","versionType":"custom"}]}],"cpeApplicability":[{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:nagios:nagios_xi:2024:*:*:*:*:*:*:*","versionEndExcluding":"r1.0.2"}]}]}],"credits":[{"lang":"en","type":"finder","value":"Joran LEREEC"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Nagios XI versions prior to &lt; 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser."}],"value":"Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser."}],"impacts":[{"capecId":"CAPEC-63","descriptions":[{"lang":"en","value":"CAPEC-63 Cross-Site Scripting (XSS)"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":5.1,"baseSeverity":"MEDIUM","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2025-11-17T18:21:46.618Z"},"references":[{"tags":["vendor-advisory","patch"],"url":"https://www.nagios.com/products/security/#nagios-xi"},{"tags":["release-notes","patch"],"url":"https://www.nagios.com/changelog/nagios-xi/2024r1-0-2/"},{"tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/nagios-xi-xss-via-core-command-expansion"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: rgb(255, 255, 255);\">Nagios addresses this vulnerability as \"</span><span style=\"background-color: rgb(255, 255, 255);\">Nagios XI is vulnerable to a Cross-site scripting attack when utilizing the Nagios Core Command Expansion page</span><span style=\"background-color: rgb(255, 255, 255);\">\" (said to be fixed in 2024R1 on \"Security Disclosures\" site) and \"</span><span style=\"background-color: rgb(255, 255, 255);\">Fixed XSS in Nagios Core command expansion page</span><span style=\"background-color: rgb(255, 255, 255);\">\" (denoted in the </span><span style=\"background-color: rgb(255, 255, 255);\">2024R1.0.2 section of the changelog).</span><br>"}],"value":"Nagios addresses this vulnerability as \"Nagios XI is vulnerable to a Cross-site scripting attack when utilizing the Nagios Core Command Expansion page\" (said to be fixed in 2024R1 on \"Security Disclosures\" site) and \"Fixed XSS in Nagios Core command expansion page\" (denoted in the 2024R1.0.2 section of the changelog)."}],"source":{"discovery":"UNKNOWN"},"title":"Nagios XI < 2024R1.0.2 XSS via Core Command Expansion","x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-10-31T13:45:05.753127Z","id":"CVE-2023-7318","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-31T13:54:53.359Z"}}]}}