CVE-2023-53688: 
Nagios XI vulnerability analysis and mitigation

Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. The vulnerability was discovered by Aleksey Solovev from Positive Technologies and assigned CVE-2023-53688. The issue was disclosed on October 30, 2025 (VulnCheck Advisory).

The vulnerability involves two distinct security issues in the Hypermap Replay component: a cross-site scripting (XSS) vulnerability due to improper input validation and escaping (CWE-79), and a cross-site request forgery (CSRF) vulnerability due to insufficient anti-CSRF protections on state-changing operations (CWE-352). The vulnerability has been assigned a CVSS v4.0 base score of 5.1 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (VulnCheck Advisory).

An attacker can exploit these vulnerabilities to execute malicious scripts in the context of a victim's browser through XSS and induce authenticated users to perform unwanted actions through CSRF. The attack requires user interaction but can be initiated remotely (VulnCheck Advisory).

The vulnerability has been patched in Nagios XI version 5.11.3. Users are advised to upgrade to this version or later to address these security issues (Nagios Changelog).