Vulnerabilites related to nagios - network_analyzer
Vulnerability from fkie_nvd
Published
2025-04-01 17:15
Modified
2025-07-11 13:39
Severity ?
Summary
A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with "Read-Only" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/harshal79/Privilege-Escalation-in-Nagios-Network-Analyzer.git | Third Party Advisory | |
| cve@mitre.org | https://www.nagios.com/changelog/#network-analyzer | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nagios | network_analyzer | 2024 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nagios:network_analyzer:2024:r1.0.3:*:*:*:*:*:*",
"matchCriteriaId": "9896555A-4661-43E4-970C-625C091639D2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with \"Read-Only\" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability."
},
{
"lang": "es",
"value": "Una vulnerabilidad de control de acceso err\u00f3neo en Nagios Network Analyzer 2024R1.0.3 permite a usuarios con privilegios bajos y acceso de \"Solo lectura\" realizar acciones administrativas, como detener servicios del sistema y eliminar recursos cr\u00edticos. Esta falla surge debido a una aplicaci\u00f3n incorrecta de autorizaciones, lo que permite modificaciones no autorizadas que comprometen la integridad y la disponibilidad del sistema."
}
],
"id": "CVE-2025-28131",
"lastModified": "2025-07-11T13:39:20.370",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-04-01T17:15:46.493",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/harshal79/Privilege-Escalation-in-Nagios-Network-Analyzer.git"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.nagios.com/changelog/#network-analyzer"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-08 13:15
Modified
2024-11-21 06:00
Severity ?
Summary
SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.nagios.com/downloads/nagios-network-analyzer/change-log/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.nagios.com/downloads/nagios-network-analyzer/change-log/ | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nagios | network_analyzer | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nagios:network_analyzer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4CD9F7-496F-4F72-86DE-E6F9004F5632",
"versionEndExcluding": "2.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en Nagios Network Analyzer versiones anteriores a 2.4.3, por medio del par\u00e1metro o[col] en api/checks/read/"
}
],
"id": "CVE-2021-28925",
"lastModified": "2024-11-21T06:00:24.143",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-08T13:15:14.410",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.nagios.com/downloads/nagios-network-analyzer/change-log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.nagios.com/downloads/nagios-network-analyzer/change-log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-04-18 17:15
Modified
2025-07-11 13:33
Severity ?
Summary
An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nagios | network_analyzer | 2024 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nagios:network_analyzer:2024:r1.0.3:*:*:*:*:*:*",
"matchCriteriaId": "9896555A-4661-43E4-970C-625C091639D2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions."
},
{
"lang": "es",
"value": "Una vulnerabilidad de control de acceso en Nagios Network Analyzer 2024R1.0.3 permite que usuarios eliminados conserven el acceso a los recursos del sistema debido a la invalidaci\u00f3n incorrecta de sesiones y al manejo de tokens obsoletos. Cuando un administrador elimina una cuenta de usuario, el backend no finaliza las sesiones activas ni revoca los tokens de API asociados, lo que permite el acceso no autorizado a funciones restringidas."
}
],
"id": "CVE-2025-28059",
"lastModified": "2025-07-11T13:33:38.457",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-04-18T17:15:34.700",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/aakashtyal/Residual-Data-Access-Post-User-Deletion-in-Nagios-Network-Analyzer-Version-2024R1"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.nagios.com/changelog/#network-analyze"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-08 13:15
Modified
2024-11-21 06:00
Severity ?
Summary
Self Authenticated XSS in Nagios Network Analyzer before 2.4.2 via the nagiosna/groups/queries page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.nagios.com/downloads/nagios-network-analyzer/change-log/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.nagios.com/downloads/nagios-network-analyzer/change-log/ | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nagios | network_analyzer | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nagios:network_analyzer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4CD9F7-496F-4F72-86DE-E6F9004F5632",
"versionEndExcluding": "2.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Self Authenticated XSS in Nagios Network Analyzer before 2.4.2 via the nagiosna/groups/queries page."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo XSS auto-autenticado en Nagios Network Analyzer versiones anteriores a 2.4.2 por medio de la p\u00e1gina nagiosna/groups/queries"
}
],
"id": "CVE-2021-28924",
"lastModified": "2024-11-21T06:00:23.997",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-08T13:15:14.287",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.nagios.com/downloads/nagios-network-analyzer/change-log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.nagios.com/downloads/nagios-network-analyzer/change-log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-28059 (GCVE-0-2025-28059)
Vulnerability from cvelistv5
Published
2025-04-18 00:00
Modified
2025-04-22 14:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-28059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T14:28:16.258795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T14:28:48.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T16:44:25.506Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/aakashtyal/Residual-Data-Access-Post-User-Deletion-in-Nagios-Network-Analyzer-Version-2024R1"
},
{
"url": "https://www.nagios.com/changelog/#network-analyze"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-28059",
"datePublished": "2025-04-18T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-04-22T14:28:48.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28925 (GCVE-0-2021-28925)
Vulnerability from cvelistv5
Published
2021-04-08 12:57
Modified
2024-08-03 21:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/.
References
| ▼ | URL | Tags |
|---|---|---|
| https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25 | x_refsource_MISC | |
| https://www.nagios.com/downloads/nagios-network-analyzer/change-log/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.737Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.nagios.com/downloads/nagios-network-analyzer/change-log/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-08T12:57:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.nagios.com/downloads/nagios-network-analyzer/change-log/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-28925",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25",
"refsource": "MISC",
"url": "https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25"
},
{
"name": "https://www.nagios.com/downloads/nagios-network-analyzer/change-log/",
"refsource": "MISC",
"url": "https://www.nagios.com/downloads/nagios-network-analyzer/change-log/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-28925",
"datePublished": "2021-04-08T12:57:36",
"dateReserved": "2021-03-19T00:00:00",
"dateUpdated": "2024-08-03T21:55:11.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28924 (GCVE-0-2021-28924)
Vulnerability from cvelistv5
Published
2021-04-08 12:57
Modified
2024-08-03 21:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Self Authenticated XSS in Nagios Network Analyzer before 2.4.2 via the nagiosna/groups/queries page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25 | x_refsource_MISC | |
| https://www.nagios.com/downloads/nagios-network-analyzer/change-log/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.nagios.com/downloads/nagios-network-analyzer/change-log/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Self Authenticated XSS in Nagios Network Analyzer before 2.4.2 via the nagiosna/groups/queries page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-08T12:57:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.nagios.com/downloads/nagios-network-analyzer/change-log/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-28924",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Self Authenticated XSS in Nagios Network Analyzer before 2.4.2 via the nagiosna/groups/queries page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25",
"refsource": "MISC",
"url": "https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25"
},
{
"name": "https://www.nagios.com/downloads/nagios-network-analyzer/change-log/",
"refsource": "MISC",
"url": "https://www.nagios.com/downloads/nagios-network-analyzer/change-log/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-28924",
"datePublished": "2021-04-08T12:57:39",
"dateReserved": "2021-03-19T00:00:00",
"dateUpdated": "2024-08-03T21:55:11.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-28131 (GCVE-0-2025-28131)
Vulnerability from cvelistv5
Published
2025-04-01 00:00
Modified
2025-04-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with "Read-Only" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-28131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T19:47:52.727528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T19:47:57.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with \"Read-Only\" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T16:28:15.939Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.nagios.com/changelog/#network-analyzer"
},
{
"url": "https://github.com/harshal79/Privilege-Escalation-in-Nagios-Network-Analyzer.git"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-28131",
"datePublished": "2025-04-01T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-04-01T19:47:57.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}