Log Server
by Nagios
CVEs (26)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-29471 | Hig | 0.57 | 8.3 | 0.06 | Apr 15, 2025 | Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field. | ||
| CVE-2020-6585 | Hig | 0.57 | 8.8 | 0.01 | Mar 16, 2020 | Nagios Log Server 2.1.3 has CSRF. | ||
| CVE-2020-6584 | Med | 0.43 | 6.5 | 0.04 | Mar 16, 2020 | Nagios Log Server 2.1.3 has Incorrect Access Control. | ||
| CVE-2021-35478 | Med | 0.41 | 5.4 | 0.77 | Jul 30, 2021 | Nagios Log Server before 2.1.9 contains Reflected XSS in the dropdown box for the alert history and audit log function. All parameters used for filtering are affected. This affects users who open a crafted link or third-party web page. | ||
| CVE-2020-25385 | Med | 0.41 | 6.1 | 0.16 | Jan 20, 2021 | Nagios Log Server 2.1.7 contains a cross-site scripting (XSS) vulnerability in /nagioslogserver/configure/create_snapshot through the snapshot_name parameter, which may impact users who open a maliciously crafted link or third-party web page. | ||
| CVE-2019-15898 | Med | 0.40 | 6.1 | 0.02 | Sep 3, 2019 | Nagios Log Server before 2.0.8 allows Reflected XSS via the username on the Login page. | ||
| CVE-2020-6586 | Med | 0.37 | 5.4 | 0.27 | Mar 16, 2020 | Nagios Log Server 2.1.3 allows XSS by visiting /profile and entering a crafted name field that is mishandled on the /admin/users page. Any malicious user with limited access can store an XSS payload in his Name. When any admin views this, the XSS is triggered. | ||
| CVE-2021-35479 | Med | 0.36 | 5.4 | 0.13 | Jul 30, 2021 | Nagios Log Server before 2.1.9 contains Stored XSS in the custom column view for the alert history and audit log function through the affected pp parameter. This affects users who open a crafted link or third-party web page. | ||
| CVE-2020-16157 | Med | 0.36 | 5.4 | 0.14 | Jul 30, 2020 | A Stored XSS vulnerability exists in Nagios Log Server before 2.1.7 via the Notification Methods -> Email Users menu. | ||
| CVE-2025-34323 | 0.00 | — | 0.00 | Nov 17, 2025 | Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to a combination of sudo misconfiguration and group-writable application directories. The 'www-data' user is a member of the 'nagios' group, which has write access to… | |||
| CVE-2025-34322 | 0.00 | — | 0.05 | Nov 17, 2025 | Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain user-controlled settings—including model selection and connection… | |||
| CVE-2023-7321 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios Log Server versions prior to 2.1.14 are vulnerable to cross-site scripting (XSS) via the Snapshots Page. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victim’s browser… | |||
| CVE-2023-7323 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios Log Server versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Create User function. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2020-36858 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios Log Server versions prior to 2.1.6 contain cross-site scripting (XSS) vulnerabilities via the web interface on the Create User, Edit User, and Manage Host Lists pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute… | |||
| CVE-2025-34298 | 0.00 | — | 0.01 | Oct 30, 2025 | Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state,… | |||
| CVE-2025-34277 | 0.00 | — | 0.02 | Oct 30, 2025 | Nagios Log Server versions prior to 2024R1.3.1 contain a code injection vulnerability where malformed dashboard ID values are not properly validated before being forwarded to an internal API. An attacker able to supply crafted dashboard ID values can cause the system to… | |||
| CVE-2025-34272 | 0.00 | — | 0.01 | Oct 30, 2025 | In Nagios Log Server versions prior to 2024R2.0.3, when a user's configured default dashboard is deleted, the application does not reliably fall back to an empty, default dashboard. In some implementations this can result in an unexpected dashboard being presented as the user's… | |||
| CVE-2025-34273 | 0.00 | — | 0.01 | Oct 30, 2025 | Nagios Log Server versions prior to 2024R2.0.3 contain an incorrect authorization vulnerability that allows non-administrator users to delete global dashboards. The application did not correctly enforce authorization checks for the global dashboard deletion workflow, enabling… | |||
| CVE-2024-58273 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios Log Server versions prior to 2024R1.0.2 contain a local privilege escalation vulnerability that allows an attacker who could execute commands as the Apache web user (or the backend shell user) to escalate to root on the host. | |||
| CVE-2025-34274 | 0.00 | — | 0.02 | Oct 30, 2025 | Nagios Log Server versions prior to 2024R2.0.3 contain an execution with unnecessary privileges vulnerability as it runs its embedded Logstash process as the root user. If an attacker is able to compromise the Logstash process - for example by exploiting an insecure plugin,… |
- risk 0.57cvss 8.3epss 0.06
Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field.
- risk 0.57cvss 8.8epss 0.01
Nagios Log Server 2.1.3 has CSRF.
- risk 0.43cvss 6.5epss 0.04
Nagios Log Server 2.1.3 has Incorrect Access Control.
- risk 0.41cvss 5.4epss 0.77
Nagios Log Server before 2.1.9 contains Reflected XSS in the dropdown box for the alert history and audit log function. All parameters used for filtering are affected. This affects users who open a crafted link or third-party web page.
- risk 0.41cvss 6.1epss 0.16
Nagios Log Server 2.1.7 contains a cross-site scripting (XSS) vulnerability in /nagioslogserver/configure/create_snapshot through the snapshot_name parameter, which may impact users who open a maliciously crafted link or third-party web page.
- risk 0.40cvss 6.1epss 0.02
Nagios Log Server before 2.0.8 allows Reflected XSS via the username on the Login page.
- risk 0.37cvss 5.4epss 0.27
Nagios Log Server 2.1.3 allows XSS by visiting /profile and entering a crafted name field that is mishandled on the /admin/users page. Any malicious user with limited access can store an XSS payload in his Name. When any admin views this, the XSS is triggered.
- risk 0.36cvss 5.4epss 0.13
Nagios Log Server before 2.1.9 contains Stored XSS in the custom column view for the alert history and audit log function through the affected pp parameter. This affects users who open a crafted link or third-party web page.
- risk 0.36cvss 5.4epss 0.14
A Stored XSS vulnerability exists in Nagios Log Server before 2.1.7 via the Notification Methods -> Email Users menu.
- CVE-2025-34323Nov 17, 2025risk 0.00cvss —epss 0.00
Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to a combination of sudo misconfiguration and group-writable application directories. The 'www-data' user is a member of the 'nagios' group, which has write access to…
- CVE-2025-34322Nov 17, 2025risk 0.00cvss —epss 0.05
Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain user-controlled settings—including model selection and connection…
- CVE-2023-7321Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios Log Server versions prior to 2.1.14 are vulnerable to cross-site scripting (XSS) via the Snapshots Page. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victim’s browser…
- CVE-2023-7323Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios Log Server versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Create User function. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2020-36858Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios Log Server versions prior to 2.1.6 contain cross-site scripting (XSS) vulnerabilities via the web interface on the Create User, Edit User, and Manage Host Lists pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute…
- CVE-2025-34298Oct 30, 2025risk 0.00cvss —epss 0.01
Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state,…
- CVE-2025-34277Oct 30, 2025risk 0.00cvss —epss 0.02
Nagios Log Server versions prior to 2024R1.3.1 contain a code injection vulnerability where malformed dashboard ID values are not properly validated before being forwarded to an internal API. An attacker able to supply crafted dashboard ID values can cause the system to…
- CVE-2025-34272Oct 30, 2025risk 0.00cvss —epss 0.01
In Nagios Log Server versions prior to 2024R2.0.3, when a user's configured default dashboard is deleted, the application does not reliably fall back to an empty, default dashboard. In some implementations this can result in an unexpected dashboard being presented as the user's…
- CVE-2025-34273Oct 30, 2025risk 0.00cvss —epss 0.01
Nagios Log Server versions prior to 2024R2.0.3 contain an incorrect authorization vulnerability that allows non-administrator users to delete global dashboards. The application did not correctly enforce authorization checks for the global dashboard deletion workflow, enabling…
- CVE-2024-58273Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios Log Server versions prior to 2024R1.0.2 contain a local privilege escalation vulnerability that allows an attacker who could execute commands as the Apache web user (or the backend shell user) to escalate to root on the host.
- CVE-2025-34274Oct 30, 2025risk 0.00cvss —epss 0.02
Nagios Log Server versions prior to 2024R2.0.3 contain an execution with unnecessary privileges vulnerability as it runs its embedded Logstash process as the root user. If an attacker is able to compromise the Logstash process - for example by exploiting an insecure plugin,…
Page 1 of 2