Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The application trusts the user-supplied HTTP Host header when constructing absolute URLs without sufficient validation. An unauthenticated, remote attacker can supply a crafted Host header to poison generated links or responses, which may facilitate phishing of credentials, account recovery link hijacking, and web cache poisoning.

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-14006
• https://www.nagios.com/changelog/nagios-xi
• https://www.nagios.com/products/security/#nagios-xi
• https://www.vulncheck.com/advisories/nagios-xi-host-header-injection