Software
Xymon http://xymon.sourceforge.net/
Versions affected: All 4.3 versions prior to 4.3.25 as well as 4.1.x and 4.2.x


Javascript injection in “detailed status webpage” of monitoring items
A status-message sent from a Xymon client may contain any data, including HTML, which will be included on the “detailed status” page available via the Xymon status webinterface. A malicious user may send a status message containing custom Javascript code, which will then be rendered in the browser of the user viewing the status page.


Exploitation of this bug requires that you can control the contents of a status message sent to Xymon, which is possible if you control one of the servers monitored by Xymon, or the Xymon master server. Also, the bug requires a user to actually view the “detailed status” webpage.


Technical Background
Monitored systems can send manual defined status reports. The following command shows such a status report with a JavaScript payload as comment.
./xymon 127.0.0.1 "status hostname-local.cpu green aa"

By visiting the following URL the (stored) Cross-Site-Scripting vulnerability is triggered.
http://127.0.0.1/xymon-cgi/svcstatus.sh?HOST=hostname-local&SERVICE=cpu

Solution
Content-Security-Policy definitions have been added to the webserver header. At least this should mitigate an attack for current browsers.


Time Line
2016-01-08 – Reported vulnerability to authors
2016-02-08 – Vulnerability has been fixed in Xymon version 4.3.25.

Resources
https://sourceforge.net/p/xymon/news/2016/02/xymon-4325-released—security-update/