April 15, 2025 By Zeljka Zorz
The Nagios Security Team has fixed three critical vulnerabilities affecting popular enterprise log management and analysis platform Nagios Log Server.
About the flaws
The vulnerabilities, discovered and reported by security researchers Seth Kraft and Alex Tisdale, include:
1. A stored XSS vulnerability (CVE-2025-29471) in the web interface of Nagios Log Server that allows a standard (low-privilege) user to inject a malicious JavaScript payload into their profile’s ’email’ field to achieve privilege escalation.
“When an administrator views the audit logs, the script executes, resulting in privilege escalation via unauthorized admin account creation,” Kraft says. “The vulnerability can be chained to achieve remote code execution (RCE) in certain configurations.”
2. A DoS vulnerability (CVE pending) that could allow a non-admin users to shut down Elasticsearch – a code dependency of Nagion Log Server – via the API.
“If Elasticsearch is stopped, logs cannot be indexed, alerts cannot be generated, and historical data retrieval fails,” Kraft explained.
3. An information disclosure vulnerability (CVE pending) that allows any low-level user (with API read-only access) to perform a “get_users” API request and grab API keys (tokens) for all read-only and admin users in plaintext.
“This flaw enables user enumeration, privilege escalation, and full system compromise via unauthorized use of exposed tokens,” Tisdale noted.