CVE-2025-34272
MEDIUMNagios Log Server < 2024R2.0.3 - Unauthorized Information Exposure via Default Dashboard Fallback
Title source: llmDescription
In Nagios Log Server versions prior to 2024R2.0.3, when a user's configured default dashboard is deleted, the application does not reliably fall back to an empty, default dashboard. In some implementations this can result in an unexpected dashboard being presented as the user's default view. Depending on the product's dashboard sharing and access policies, this behavior may cause information exposure or unexpected privilege exposure.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
patch
https://www.nagios.com/products/security/#log-server-2024R2
Release Notes release-notes
patch
https://www.nagios.com/changelog/#log-server
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/nagios-log-server-non-empty-default-dashboard-fallback
Scores
CVSS v3
6.5
EPSS
0.0122
EPSS Percentile
79.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
nagios/log_server
2024 r1 (14 CPE variants)
nagios/log_server
< 2024
Published
Oct 30, 2025
Tracked Since
Feb 18, 2026