cbcvebase.

Nagios Log Server vulnerabilities

23 known vulnerabilities affecting nagios/log_server.

Total CVEs
23
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH7MEDIUM13

Vulnerabilities

Page 1 of 2
CVE-2025-34274P2CRITICALCVSS 9.8fixed in 2024v2024+1 more2025-10-30
CVE-2025-34274 [CRITICAL] CWE-250 CVE-2025-34274: Nagios Log Server versions prior to 2024R2.0.3 contain an execution with unnecessary privileges vuln Nagios Log Server versions prior to 2024R2.0.3 contain an execution with unnecessary privileges vulnerability as it runs its embedded Logstash process as the root user. If an attacker is able to compromise the Logstash process - for example by exploiting an insecure plugin, pipeline configuration injection, or a vulnerability in input parsing - th
nvd
CVE-2025-29471P3HIGHCVSS 8.3PoCv20242025-04-15
CVE-2025-29471 [HIGH] CWE-79 CVE-2025-29471: Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to exe Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field.
nvd
CVE-2025-44823P2HIGHCVSS 8.8fixed in 2024v2024+1 more2025-10-07
CVE-2025-44823 [HIGH] CWE-497 CVE-2025-44823: Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.
nvd
CVE-2025-34277P2CRITICALCVSS 9.8fixed in 2024v2024+1 more2025-10-30
CVE-2025-34277 [CRITICAL] CWE-94 CVE-2025-34277: Nagios Log Server versions prior to 2024R1.3.1 contain a code injection vulnerability where malforme Nagios Log Server versions prior to 2024R1.3.1 contain a code injection vulnerability where malformed dashboard ID values are not properly validated before being forwarded to an internal API. An attacker able to supply crafted dashboard ID values can cause the system to execute attacker-controlled data, leading to arbitrary code execution in the co
nvd
CVE-2025-34271P2CRITICALCVSS 9.8fixed in 2024v2024+1 more2025-10-30
CVE-2025-34271 [CRITICAL] CWE-319 CVE-2025-34271: Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager compon Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when requesting sensitive credentials from peer nodes over an unencrypted channel even when SSL/TLS is enabled in the product configuration. As a result, an attacker positioned on the network path can intercept credentials in transit. Captured c
nvd
CVE-2020-16157P3MEDIUMCVSS 5.4PoCfixed in 2.1.72020-07-30
CVE-2020-16157 [MEDIUM] CWE-79 CVE-2020-16157: A Stored XSS vulnerability exists in Nagios Log Server before 2.1.7 via the Notification Methods -> A Stored XSS vulnerability exists in Nagios Log Server before 2.1.7 via the Notification Methods -> Email Users menu.
nvd
CVE-2025-34298P3HIGHCVSS 8.8fixed in 2024v2024+1 more2025-10-30
CVE-2025-34298 [HIGH] CWE-281 CVE-2025-34298: Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the a Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed
nvd
CVE-2025-34322P3HIGHCVSS 7.2fixed in 2026v2026+1 more2025-11-17
CVE-2025-34322 [HIGH] CWE-78 CVE-2025-34322: Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerabil Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain user-controlled settings—including model selection and connection parameters—are read from the global configuration and concatenated into a shell command
nvd
CVE-2023-7322P3HIGHCVSS 8.1fixed in 2024fixed in 2024R12025-10-30
CVE-2023-7322 [HIGH] CWE-863 CVE-2023-7322: Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users w Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked the required API permission were nevertheless able to invoke API endpoints, resulting in unintended access to data and actions exposed via the API. This incorrect authorization check could allow authenticated but non-privileged users to read or
nvd
CVE-2021-35478P3MEDIUMCVSS 5.4fixed in 2.1.92021-07-30
CVE-2021-35478 [MEDIUM] CWE-79 CVE-2021-35478: Nagios Log Server before 2.1.9 contains Reflected XSS in the dropdown box for the alert history and Nagios Log Server before 2.1.9 contains Reflected XSS in the dropdown box for the alert history and audit log function. All parameters used for filtering are affected. This affects users who open a crafted link or third-party web page.
nvd
CVE-2025-34323P3HIGHCVSS 7.8fixed in 2026v2026+1 more2025-11-17
CVE-2025-34323 [HIGH] CWE-732 CVE-2025-34323: Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to a Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to a combination of sudo misconfiguration and group-writable application directories. The 'www-data' user is a member of the 'nagios' group, which has write access to '/usr/local/nagioslogserver/scripts', while several scripts in this directory are owned by
nvd
CVE-2024-58273P3HIGHCVSS 7.8fixed in 2024v2024+1 more2025-10-30
CVE-2024-58273 [HIGH] CWE-266 CVE-2024-58273: Nagios Log Server versions prior to 2024R1.0.2 contain a local privilege escalation vulnerability th Nagios Log Server versions prior to 2024R1.0.2 contain a local privilege escalation vulnerability that allows an attacker who could execute commands as the Apache web user (or the backend shell user) to escalate to root on the host.
nvd
CVE-2025-44824P3MEDIUMCVSS 6.5fixed in 2024v2024+1 more2025-10-07
CVE-2025-44824 [MEDIUM] CWE-863 CVE-2025-44824: Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop t Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop elasticsearch" is in the API response. This is GL:NLS#474.
nvd
CVE-2025-34273P3MEDIUMCVSS 6.5fixed in 2024v2024+1 more2025-10-30
CVE-2025-34273 [MEDIUM] CWE-863 CVE-2025-34273: Nagios Log Server versions prior to 2024R2.0.3 contain an incorrect authorization vulnerability that Nagios Log Server versions prior to 2024R2.0.3 contain an incorrect authorization vulnerability that allows non-administrator users to delete global dashboards. The application did not correctly enforce authorization checks for the global dashboard deletion workflow, enabling lower-privileged users to remove dashboards that affect other users or the
nvd
CVE-2025-34272P3MEDIUMCVSS 6.5fixed in 2024v2024+1 more2025-10-30
CVE-2025-34272 [MEDIUM] CWE-200 CVE-2025-34272: In Nagios Log Server versions prior to 2024R2.0.3, when a user's configured default dashboard is del In Nagios Log Server versions prior to 2024R2.0.3, when a user's configured default dashboard is deleted, the application does not reliably fall back to an empty, default dashboard. In some implementations this can result in an unexpected dashboard being presented as the user's default view. Depending on the product's dashboard sharing and access po
nvd
CVE-2020-25385P3MEDIUMCVSS 6.1≤ 2.1.72021-01-20
CVE-2020-25385 [MEDIUM] CWE-79 CVE-2020-25385: Nagios Log Server 2.1.7 contains a cross-site scripting (XSS) vulnerability in /nagioslogserver/conf Nagios Log Server 2.1.7 contains a cross-site scripting (XSS) vulnerability in /nagioslogserver/configure/create_snapshot through the snapshot_name parameter, which may impact users who open a maliciously crafted link or third-party web page.
nvd
CVE-2021-35479P4MEDIUMCVSS 5.4fixed in 2.1.92021-07-30
CVE-2021-35479 [MEDIUM] CWE-79 CVE-2021-35479: Nagios Log Server before 2.1.9 contains Stored XSS in the custom column view for the alert history a Nagios Log Server before 2.1.9 contains Stored XSS in the custom column view for the alert history and audit log function through the affected pp parameter. This affects users who open a crafted link or third-party web page.
nvd
CVE-2025-34270P4MEDIUMCVSS 4.9fixed in 2024v2024+1 more2025-10-30
CVE-2025-34270 [MEDIUM] CWE-312 CVE-2025-34270: Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import fu Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to ad
nvd
CVE-2023-7323P4MEDIUMCVSS 5.4fixed in 2024fixed in 2024R12025-10-30
CVE-2023-7323 [MEDIUM] CWE-79 CVE-2023-7323: Nagios Log Server versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Crea Nagios Log Server versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Create User function. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2020-36858P4MEDIUMCVSS 5.4fixed in 2.1.62025-10-30
CVE-2020-36858 [MEDIUM] CWE-79 CVE-2020-36858: Nagios Log Server versions prior to 2.1.6 contain cross-site scripting (XSS) vulnerabilities via the Nagios Log Server versions prior to 2.1.6 contain cross-site scripting (XSS) vulnerabilities via the web interface on the Create User, Edit User, and Manage Host Lists pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
Nagios Log Server vulnerabilities | cvebase