CVE-2025-29471

Published Apr 15, 2025

Last updated 2 months ago

Nagios Log Server

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-29471 is a stored Cross-Site Scripting (XSS) vulnerability found in Nagios Log Server version 2024R1.3.1. It exists in the web interface and allows a low-privilege user to inject a malicious JavaScript payload into their profile's email field. When an administrator views the audit logs, the injected script executes, potentially leading to privilege escalation through unauthorized admin account creation. In certain configurations, this vulnerability can be chained to achieve remote code execution (RCE). Public exploits are reportedly available.

Description: Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field.
Source: cve@mitre.org
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Secondary
Base score: 8.3
Impact score: 6
Exploitability score: 1.6
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Severity: HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7CEC223A-A3EE-4C51-8B71-E19C73B9215C"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.