Security readout for executives and security teams
Plain-English summary
Older versions of Nagios XI, a popular IT monitoring tool, contain a flaw in the Business Process Intelligence (BPI) configuration pages that lets an attacker plant malicious code in the browser of an authenticated user who views a tampered page. The risk is limited because exploitation requires both an authenticated account and a victim clicking through, but it can lead to session abuse inside the monitoring console.
Executive priority
Schedule a routine patch cycle to upgrade Nagios XI to 5.7.2 or later. Not an emergency given moderate severity and no known active exploitation, but should not linger because monitoring tools often hold privileged credentials and broad network visibility.
Technical view
CVE-2020-36865 is a stored/reflected cross-site scripting (CWE-79) issue in Nagios XI versions prior to 5.7.2, located in the BPI component's Config Management and Edit Config pages. User-supplied input is insufficiently validated or escaped, allowing script execution in the victim's browser context. CVSS 4.0 base 5.1 reflects network attack vector, low complexity, low privileges, required user interaction, and limited confidentiality/integrity impact on a subsequent component.
Likely exposure
Organizations running Nagios XI installations earlier than 5.7.2 with the BPI module enabled and accessible to authenticated users. Internet-exposed Nagios XI portals or shared multi-tenant monitoring deployments raise the exposure profile. Single-administrator, internal-only instances on patched releases are not exposed.
Exploitation context
Not listed in CISA KEV and no public reports of active exploitation cited in the source bundle. Exploitation requires an authenticated attacker with access to BPI configuration and a victim user interacting with the crafted content, which limits opportunistic abuse but is realistic in shared admin environments.
Researcher notes
Authenticated XSS in the BPI Config Management and Edit Config pages of Nagios XI < 5.7.2; CWE-79; CVSS 4.0 vector indicates PR:L and UI:P with limited subsequent-component impact (SC:L/SI:L). Affected version data in the bundle is sparse (defaultStatus unaffected, version "0"), so confirm exact fixed build via the Nagios changelog and the VulnCheck advisory before scoping.
Mitigation direction
- Upgrade Nagios XI to version 5.7.2 or later per vendor changelog.
- Restrict BPI configuration access to a minimal set of trusted administrators.
- Place Nagios XI behind authenticated VPN or SSO; avoid public internet exposure.
- Review session and CSRF protections; enforce short session lifetimes for admins.
- Monitor BPI config changes and admin activity for unexpected script-like inputs.
Validation and detection
- Identify Nagios XI version via the admin console or version file and compare to 5.7.2.
- Inventory which users hold BPI configuration privileges and whether BPI is enabled.
- Confirm patch level after upgrade by re-checking the version string.
- Review proxy or WAF logs for unusual BPI Config Management requests.
- Audit admin browser sessions and recent BPI config edits for anomalies.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2020-36865 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5.1 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
5.1MediumVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Source materials
- CVE List V5 sourceCVE List V5
- https://www.nagios.com/changelog/nagios-xi/CVE reference · release-notes, patch
- https://www.vulncheck.com/advisories/nagios-xi-xss-via-bpi-config-managementCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Neutralization of Input During Web Page Generation
Improper Neutralization of Input During Web Page Generation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
