Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action.
archives.neohapsis.com/archives/bugtraq/2011-06/0017.html
archives.neohapsis.com/archives/bugtraq/2011-06/0018.html
secunia.com/advisories/44974
securityreason.com/securityalert/8274
tracker.nagios.org/view.php?id=224
www.openwall.com/lists/oss-security/2011/06/01/10
www.openwall.com/lists/oss-security/2011/06/02/6
www.rul3z.de/advisories/SSCHADV2011-005.txt
www.rul3z.de/advisories/SSCHADV2011-006.txt
www.securityfocus.com/bid/48087
www.ubuntu.com/usn/USN-1151-1
bugzilla.redhat.com/show_bug.cgi?id=709871
dev.icinga.org/issues/1605
exchange.xforce.ibmcloud.com/vulnerabilities/67797