CVE-2018-1000855

## Vulnerability easymon versions 1.4 and earlier contain a reflected Cross-Site Scripting (XSS) vulnerability in the endpoint where monitoring is mounted. The issue occurs because the check name is not properly escaped when displaying a not-found message, allowing injection of arbitrary JavaScript [1][3]. The vulnerable code path is reachable when accessing the monitoring endpoint with a non-existent check name. Affected versions: easymon <= 1.4.

Exploitation

An attacker can exploit this vulnerability by crafting a URL containing an XSS payload as the check name and tricking a victim into clicking it. The victim must be using Firefox for the XSS to execute [2]. No special network position or authentication is required; the victim simply needs to navigate to the crafted URL while the monitoring endpoint is mounted.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can be used to steal cookies, depending on the cookie settings (e.g., if cookies are not marked HttpOnly) [2]. The impact is limited to the victim's browser and does not directly compromise the server.

Mitigation

The vulnerability is fixed in easymon version 1.4.1 and later [2][3]. Users should upgrade to at least version 1.4.1. The fix was implemented by escaping the check name in the not-found output [3]. No workarounds are documented; upgrading is the recommended action.