Описание
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.
Ссылки
- Release Notes
- Vendor Advisory
- Third Party Advisory
Уязвимые конфигурации
Одно из
EPSS
9.8 Critical
CVSS3
Дефекты
Связанные уязвимости
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.
Уязвимость инструмента для мониторинга ИТ-инфраструктуры Nagios XI, связанная с неверным сроком действия сеанса, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS
9.8 Critical
CVSS3