CVE-2025-29471

Published Apr 15, 2025

Last updated 2 days ago

CVSS high 8.3
Nagios Log Server

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-29471 is a stored Cross-Site Scripting (XSS) vulnerability found in Nagios Log Server version 2024R1.3.1. It exists in the web interface and allows a low-privilege user to inject a malicious JavaScript payload into their profile's email field. When an administrator views the audit logs, the injected script executes, potentially leading to privilege escalation through unauthorized admin account creation. In certain configurations, this vulnerability can be chained to achieve remote code execution (RCE). Public exploits are reportedly available.

Description
Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field.
Source
cve@mitre.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.3
Impact score
6
Exploitability score
1.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-79

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

1

  1. 🚨CVE-2025-29471: Stored XSS PoC Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field. Credit: https://t.co/gisV0TIgSv

    @EncryptoGuard

    16 Apr 2025

    24 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-29471 Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field. https://t.co/96UaR94Use

    @CVEnew

    16 Apr 2025

    684 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨CVE-2025-29471: Stored XSS PoC Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field. Credit: https://t.co/70CmkIBkSf https://t.co/IWoUeJzVIL

    @DarkWebInformer

    15 Apr 2025

    7526 Impressions

    12 Retweets

    53 Likes

    24 Bookmarks

    3 Replies

    0 Quotes

  4. Nagios Log Server (<=2024R1.3.1) patched 3 critical flaws: XSS (CVE-2025-29471), DoS, info disclosure. Fix in 2024R2/2024R1.3.2. Upgrade advised, PoCs exist. https://t.co/XIEeoH9vbZ

    @Jfreeg_

    15 Apr 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References