CVE-2024-14006

Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The application trusts the user-supplied HTTP Host header when constructing absolute URLs without sufficient validation. An unauthenticated, remote attacker can supply a crafted Host header to poison generated links or responses, which may facilitate phishing of credentials, account recovery link hijacking, and web cache poisoning.

Weakness

The product does not properly verify that the source of data or communication is valid.

Affected Software

Name	Vendor	Start Version	End Version
Nagios_xi	Nagios	*	2024 (excluding)
Nagios_xi	Nagios	2024-r1 (including)	2024-r1 (including)
Nagios_xi	Nagios	2024-r1.0.1 (including)	2024-r1.0.1 (including)
Nagios_xi	Nagios	2024-r1.0.2 (including)	2024-r1.0.2 (including)
Nagios_xi	Nagios	2024-r1.1 (including)	2024-r1.1 (including)
Nagios_xi	Nagios	2024-r1.1.1 (including)	2024-r1.1.1 (including)
Nagios_xi	Nagios	2024-r1.1.2 (including)	2024-r1.1.2 (including)
Nagios_xi	Nagios	2024-r1.1.3 (including)	2024-r1.1.3 (including)
Nagios_xi	Nagios	2024-r1.1.4 (including)	2024-r1.1.4 (including)
Nagios_xi	Nagios	2024-r1.1.5 (including)	2024-r1.1.5 (including)
Nagios_xi	Nagios	2024-r1.2 (including)	2024-r1.2 (including)
Nagios_xi	Nagios	2024-r1.2.1 (including)	2024-r1.2.1 (including)

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-14006
CWE	https://cwe.mitre.org/data/definitions/346.html

Origin Validation Error

Weakness

Affected Software

References

CVE-2024-14006

Origin Validation Error

Weakness

Affected Software

Related Attack Patterns

References