CVE-2017-6393 Nagvis CVE debrief

Who should care

NagVis administrators and operators, especially anyone running version 1.9b12 or exposing the NagVis web interface to trusted users, should treat this as a real browser-side injection risk.

Technical summary

The official record identifies CWE-79 (cross-site scripting) affecting NagVis 1.9b12. The vulnerable path is the std_table.php gadget endpoint under nagvis-master/share/userfiles/gadgets/. The CVSS vector in NVD is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating remote reachability, no privileges required, but user interaction needed and scope change possible.

Defensive priority

Medium. The issue is remotely reachable and can affect browser content and session context, but it requires user interaction and is not rated as availability-impacting. Prioritize it if the NagVis UI is accessible to many users or reachable over the network.

Recommended defensive actions

• Apply the vendor fix or update referenced by the NagVis issue 91 advisory in the supplied references.
• Restrict access to the NagVis web interface until the affected version is remediated.
• Review the std_table.php input and output handling to ensure untrusted data is properly validated and encoded before rendering.
• Confirm the deployment is not still running NagVis 1.9b12, which is the vulnerable version named in the NVD record.

Evidence notes

This debrief is based on the supplied official CVE/NVD material only. The CVE was published on 2017-03-02 and the NVD record was last modified on 2026-05-13. The NVD metadata names NagVis 1.9b12 as vulnerable, classifies the weakness as CWE-79, assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and cites the GitHub issue 91 reference as a patch/vendor advisory source. A SecurityFocus BID 96537 reference is also listed, but it is treated here as a secondary reference.

Official resources