CVE-2020-6586: 
Nagios vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in Nagios Log Server version 2.1.3, identified as CVE-2020-6586. The vulnerability exists in the user profile functionality, where any malicious user with limited access can store an XSS payload in their Name field via the /profile page, which is then mishandled when displayed on the /admin/users page. When an administrator views the affected page, the stored XSS payload is triggered (Medium Blog, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires low attack complexity and limited privileges to exploit, but does require user interaction. The scope is changed, and it can impact both confidentiality and integrity at a low level, with no impact on availability (NVD).

When successfully exploited, this vulnerability allows remote attackers to inject malicious script code into the client-side application, potentially compromising user session information or data. The attack is particularly concerning as it affects the administrative interface, allowing malicious users to target administrators with stored XSS payloads (Medium Blog).

The vulnerability was addressed in subsequent releases of Nagios Log Server. According to the changelog, version 2.1.4 included fixes for XSS vulnerabilities in the 'Create User', 'Edit User', and other administrative pages (Nagios Changelog). Users should upgrade to a version newer than 2.1.3 to protect against this vulnerability.