LiveActive security incident?Get immediate response
CVE Record

CVE-2013-10071: Nagios XI < 2012R1.6 Reflected XSS via Dashlet AJAX Load Functionality

Nagios XI versions prior to 2012R1.6 contain a reflected cross-site scripting (XSS) vulnerability in the dashboard dashlet AJAX load functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

MediumCVSS 5.1Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

Older versions of Nagios XI, a popular IT monitoring product, contain a flaw on the dashboard that lets an attacker craft a malicious link. If a logged-in user clicks it, the attacker's script runs in their browser session, potentially stealing data or hijacking actions inside the monitoring console. Upgrading to a fixed release removes the risk.

Executive priority

Low-to-moderate priority. Patch as part of standard maintenance unless a vulnerable legacy Nagios XI is internet-facing or accessed by privileged staff, in which case schedule an expedited upgrade. No evidence of active exploitation, but legacy versions of monitoring tooling carry compounded risk.

Technical view

Nagios XI prior to 2012R1.6 has a reflected XSS (CWE-79) in the dashboard dashlet AJAX load functionality. User-supplied input is reflected without sufficient validation or output encoding, allowing arbitrary script execution in the victim's browser context. CVSS 4.0 base 5.1 (AV:N/AC:L/PR:N/UI:A) reflects network-reachable, low-complexity, unauthenticated trigger requiring user interaction.

Likely exposure

Affects organizations running legacy Nagios XI installs older than 2012R1.6. Most relevant to enterprises with internet-exposed or shared monitoring portals; far less impactful where Nagios XI is reachable only by a small set of trusted operators on isolated networks.

Exploitation context

Not listed in CISA KEV and no public reports of active exploitation are cited in the source bundle. Exploitation requires user interaction (clicking a crafted link) and a vulnerable version. The advisory was published in 2025 against a long-patched 2012-era release, so most current Nagios XI deployments should already be remediated.

Researcher notes

Reflected XSS in the dashlet AJAX load path; CWE-79 with UI:A means delivery requires social engineering of an authenticated operator. Sources do not name the exact parameter or payload context, so validation should focus on version verification rather than payload reproduction. Treat as a session-impact issue against monitoring console privileges.

Mitigation direction

  • Upgrade Nagios XI to 2012R1.6 or any later supported release per vendor changelog.
  • Restrict Nagios XI access to trusted networks via VPN, IP allowlists, or SSO gateway.
  • Enforce a strict Content-Security-Policy and HttpOnly session cookies on the Nagios XI host.
  • Train monitoring operators to avoid clicking unsolicited Nagios XI dashboard links.

Validation and detection

  • Check the Nagios XI version banner or About page against 2012R1.6 release threshold.
  • Review vendor changelog and patch history for confirmation the dashlet fix is applied.
  • Inspect web logs for unusual query strings hitting dashlet AJAX load endpoints.
  • Confirm administrative interface is not exposed to untrusted networks via external scan.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-79: User-session and phishing behavior lookup

Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2013-10071 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.1 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.1CVSS 4.0MediumCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

5.1Medium
CVSS 4.0 vector shape for CVE-2013-10071Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
NagiosXI0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.