CVE-2021-47694: 
Nagios XI vulnerability analysis and mitigation

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.4 / Nagios XI 5.8.6 contains a reflected cross-site scripting (XSS) vulnerability via the Test Command functionality. The vulnerability was discovered by Amit Raut of Trend Micro Security Research working with Trend Micro Zero Day Initiative and was assigned CVE-2021-47694 (VulnCheck Advisory).

The vulnerability stems from insufficient validation or escaping of user-supplied input in the Test Command functionality of the Core Config Manager. The issue has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-116 (Improper Encoding or Escaping of Output). The vulnerability has a CVSS v4.0 base score of 5.1 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N (VulnCheck Advisory).

When exploited, this vulnerability allows an attacker to inject and execute arbitrary script in the context of a victim's browser. This could potentially lead to theft of sensitive browser-based data or perform actions on behalf of the victim (VulnCheck Advisory).

The vulnerability has been fixed in Nagios XI version 5.8.6 and CCM version 3.1.4. Users are advised to upgrade to these versions or later to mitigate the risk (Nagios Changelog).