An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting.

(2) includes/components/xicore/downtime.php, related to the update_pages function.

(3) the ajaxhelper.php opts or background parameter.

(4) the i[] array parameter to ajax_handler.php.

or (5) the deploynotification.php title parameter.