← Back

CVE-2025-28059

nvd nist
Published: Apr 18, 2025Modified: Jul 11, 2025

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 3.6
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.

Affected (1)

Nagios
1 product
Network Analyzer
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Network Analyzer
Version 2024 r1.0.3

Related CWEs

CWE-613
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (2)

Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Release Notes

Timeline

No history available yet.