关键信息 漏洞标题: Nagios XI < 5.6.11 Unauthenticated XSS and SSRF via Highcharts 严重性: MEDIUM 日期: October 30, 2025 影响版本: XI < 5.6.11 CVE编号: CVE-2020-36862 CWE编号: - CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') - CWE-918 Server-Side Request Forgery (SSRF) CVSS评分: 6.9 CVSS V4向量: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/S:E/LA:L 参考链接: Nagios XI Changelog 描述: - Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local exporting tool. - Crafted export requests could (1) inject script into exported/returned content due to insufficient output encoding (XSS), and (2) cause the server to fetch attacker-specified URLs (SSRF), potentially accessing internal network resources. - An unauthenticated remote attacker can leverage these issues to execute script in a user's browser when the exported content is viewed and to disclose sensitive information reachable from the export server via SSRF.