CVE-2025-34298 | THREATINT

Description

Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed intended access controls.

PUBLISHED Reserved 2025-04-15 | Published 2025-10-30 | Updated 2025-10-31 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-281 Improper Preservation of Permissions

Product status

Default status

unaffected

Any version before 2024R1.3.2

affected

References

www.nagios.com/changelog/nagios-log-server-2024r1/ release-notes patch

www.vulncheck.com/...g-server-set-email-privilege-escalation third-party-advisory

cve.org (CVE-2025-34298)

nvd.nist.gov (CVE-2025-34298)

Download JSON