CVE-2023-7312: 
NixOS 5FOqC0

Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability when adding or configuring Email Settings. The vulnerability was discovered and disclosed on October 30, 2025, affecting the Email Settings functionality in Nagios Fusion installations (VulnCheck Advisory, Nagios Changelog).

The vulnerability allows unsanitized user input to be stored and later rendered in the administrative UI, causing JavaScript to execute in the browser of any user who views the affected page. The issue has been assigned a CVSS V4 Base Score of 6.2 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (VulnCheck Advisory).

An attacker who can add or modify SMTP/email settings or manipulate the sendmail configuration fields could persist a malicious payload that executes in the context of other users' browsers. This could potentially lead to unauthorized access to sensitive information or perform actions on behalf of affected users (VulnCheck Advisory).

The vulnerability has been fixed in Nagios Fusion version 4.2.0. Users are advised to upgrade to this version or later to address the security issue. The fix was released as part of the security updates in version 4.2.0 (Nagios Changelog).