Critical flaws fixed in Nagios Log Server - #CVE-2025-29471
The Nagios Security Team has addressed three critical vulnerabilities in Nagios Log Server, affecting version 2024R1.3.1. These include a stored XSS vulnerability (CVE-2025-29471) allowing privilege escalation, a DoS issue enabling non-admin users to disrupt log indexing and alert generation, and an information disclosure flaw exposing API keys. Reported by Seth Kraft and Alex Tisdale, these vulnerabilities have been fixed in versions 2024R2 and 2024R1.3.2. While the risk of external exploitation is low due to Nagios Log Server machines rarely being internet-facing, organizations are strongly advised to upgrade, especially given the public availability of PoC exploits for two of the vulnerabilities. It's important to note that an in-place upgrade from 2024R1 to 2024R2 is not possible due to significant changes.