Описание
Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The application trusts the user-supplied HTTP Host header when constructing absolute URLs without sufficient validation. An unauthenticated, remote attacker can supply a crafted Host header to poison generated links or responses, which may facilitate phishing of credentials, account recovery link hijacking, and web cache poisoning.
Ссылки
- Release Notes
- Vendor Advisory
- Third Party Advisory
Уязвимые конфигурации
Одно из
EPSS
6.1 Medium
CVSS3
Дефекты
Связанные уязвимости
Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The application trusts the user-supplied HTTP Host header when constructing absolute URLs without sufficient validation. An unauthenticated, remote attacker can supply a crafted Host header to poison generated links or responses, which may facilitate phishing of credentials, account recovery link hijacking, and web cache poisoning.
Уязвимость инструмента для мониторинга ИТ-инфраструктуры Nagios XI, связанная с ошибкой подтверждения источника данных, позволяющая нарушителю проводить фишинг-атаки
EPSS
6.1 Medium
CVSS3