CVE-2020-36861: 
Nagios XI vulnerability analysis and mitigation

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.8 / Nagios XI 5.7.5 contains multiple cross-site scripting (XSS) vulnerabilities in the overlay UI elements and the Notification/Check Period pages. The vulnerability allows attackers to inject and execute arbitrary script in the context of a victim's browser due to insufficient validation or escaping of user-supplied input (VulnCheck Advisory).

The vulnerability has been assigned CVE-2020-36861 with a CVSS V4 Base Score of 5.1 (Medium) and vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). The vulnerability affects the overlay UI elements and Notification/Check Period pages in the Core Config Manager component (VulnCheck Advisory).

If exploited, this vulnerability allows attackers to inject and execute arbitrary JavaScript code in the context of a victim's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the authenticated user (VulnCheck Advisory).

Users should upgrade to Nagios XI version 5.7.5 or later, which includes CCM version 3.0.8 or later, to address this vulnerability (Nagios Changelog).