Versions affected: All 4.3 versions prior to 4.3.25 as well as 4.1.x and 4.2.x
Exploitation of this bug requires that you can control the contents of a status message sent to Xymon, which is possible if you control one of the servers monitored by Xymon, or the Xymon master server. Also, the bug requires a user to actually view the “detailed status” webpage.
./xymon 127.0.0.1 "status hostname-local.cpu green aa"
By visiting the following URL the (stored) Cross-Site-Scripting vulnerability is triggered.
Content-Security-Policy definitions have been added to the webserver header. At least this should mitigate an attack for current browsers.
2016-01-08 – Reported vulnerability to authors
2016-02-08 – Vulnerability has been fixed in Xymon version 4.3.25.