Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.
2025-10-30T22:15:45.043
2025-11-06T16:17:23.587
Analyzed
CVSSv3.1: 9.8 (CRITICAL)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | nagios | nagios_xi | < 2024 | Yes |
| Application | nagios | nagios_xi | 2024 | Yes |
| Application | nagios | nagios_xi | 2024 | Yes |
| Application | nagios | nagios_xi | 2024 | Yes |
| Application | nagios | nagios_xi | 2024 | Yes |
| Application | nagios | nagios_xi | 2024 | Yes |
| Application | nagios | nagios_xi | 2024 | Yes |