CVE-2023-53690: 
NixOS vulnerability analysis and mitigation

Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability identified as CVE-2023-53690. The vulnerability exists in the LDAP/AD authentication-server configuration component, where unsanitized user input can be stored and later rendered in the administrative UI. This vulnerability was discovered and reported by Tisha Manandhar, and was patched in version 4.2.0 released on October 18, 2023 (Nagios Changelog, VulnCheck Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v4.0 score of 6.2 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N. The issue stems from improper input validation in the LDAP/AD authentication-server configuration interface, allowing stored XSS payloads to be executed when viewed by other users in the administrative interface (VulnCheck Advisory).

When exploited, this vulnerability allows an attacker with the ability to add authentication servers via LDAP/AD integration to persist malicious JavaScript code that executes in the context of other users' browsers when they view the affected administrative page. This could potentially lead to session hijacking, credential theft, or other client-side attacks against administrative users (VulnCheck Advisory).

The vulnerability has been fixed in Nagios Fusion version 4.2.0. Organizations using affected versions should upgrade to version 4.2.0 or later to remediate this security issue. The fix was released as part of a security update that addressed multiple XSS vulnerabilities in the product (Nagios Changelog).