N
agios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insecure Logins' option is enabled. Under this configuration, any user can create valid login credentials for other users without proper authorization. This can lead to unauthorized account creation, privilege escalation, or full compromise of the Nagios XI web interface depending on the target account.
References
| Link | Resource |
|---|---|
| https://www.nagios.com/changelog/nagios-xi/ | Release Notes |
| https://www.nagios.com/products/security/#nagios-xi | Vendor Advisory |
| https://www.vulncheck.com/advisories/nagios-xi-allow-insecure-logins-missing-authorization | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
06 Nov 2025, 16:18
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Nagios
Nagios nagios Xi |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
| References | () https://www.nagios.com/changelog/nagios-xi/ - Release Notes | |
| References | () https://www.nagios.com/products/security/#nagios-xi - Vendor Advisory | |
| References | () https://www.vulncheck.com/advisories/nagios-xi-allow-insecure-logins-missing-authorization - Third Party Advisory | |
| CPE | cpe:2.3:a:nagios:nagios_xi:2024:r1.1.1:*:*:*:*:*:* cpe:2.3:a:nagios:nagios_xi:2024:r1.0.2:*:*:*:*:*:* cpe:2.3:a:nagios:nagios_xi:2024:r1.1:*:*:*:*:*:* cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:* cpe:2.3:a:nagios:nagios_xi:2024:r1:*:*:*:*:*:* cpe:2.3:a:nagios:nagios_xi:2024:r1.0.1:*:*:*:*:*:* |
30 Oct 2025, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-10-30 22:15
Updated : 2025-11-06 16:18
NVD link : CVE-2024-13994
Mitre link : CVE-2024-13994
CVE.ORG link : CVE-2024-13994
JSON object : View
CWE
CWE-862
Missing Authorization