CVE-2020-36860: 
Nagios XI vulnerability analysis and mitigation

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple cross-site scripting (XSS) vulnerabilities in the object edit pages. This vulnerability was discovered and reported by Matthew Aberegg (VulnCheck Advisories).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v4.0 base score of 5.1 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:P). The vulnerability has no direct impact on confidentiality, integrity, or availability of the vulnerable component, but can affect system confidentiality and integrity at a low level (VulnCheck Advisories).

The vulnerability allows attackers to inject and execute arbitrary script in the context of a victim's browser due to insufficient validation or escaping of user-supplied input. This could potentially lead to theft of sensitive browser-based data or manipulation of displayed content (VulnCheck Advisories).

The vulnerability has been fixed in Nagios XI version 5.7.4 and CCM version 3.0.7. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Nagios Changelog).