Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-7322

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-30 Oct, 2025 | 21:23
Updated At-17 Nov, 2025 | 21:36
Rejected At-
Credits

Nagios Log Server < 2024R1 Incorrect Authorization Granting Full API Access

Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked the required API permission were nevertheless able to invoke API endpoints, resulting in unintended access to data and actions exposed via the API. This incorrect authorization check could allow authenticated but non-privileged users to read or modify resources beyond their intended rights.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:30 Oct, 2025 | 21:23
Updated At:17 Nov, 2025 | 21:36
Rejected At:
▼CVE Numbering Authority (CNA)
Nagios Log Server < 2024R1 Incorrect Authorization Granting Full API Access

Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked the required API permission were nevertheless able to invoke API endpoints, resulting in unintended access to data and actions exposed via the API. This incorrect authorization check could allow authenticated but non-privileged users to read or modify resources beyond their intended rights.

Affected Products
Vendor
Nagios Enterprises, LLCNagios
Product
Log Server
Modules
  • Web API / Authorization and Permission Enforcement Layer
Default Status
unaffected
Versions
Affected
  • From 0 before 2024R1 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-863CWE-863 Incorrect Authorization
Type: CWE
CWE ID: CWE-863
Description: CWE-863 Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Nagios addresses this vulnerability as "Fixed a security bug where users without API permissions had full API access."

Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.nagios.com/changelog/nagios-log-server-2024r1/
release-notes
patch
https://www.vulncheck.com/advisories/nagios-log-server-incorrect-authorization-granting-full-api-access
third-party-advisory
Hyperlink: https://www.nagios.com/changelog/nagios-log-server-2024r1/
Resource:
release-notes
patch
Hyperlink: https://www.vulncheck.com/advisories/nagios-log-server-incorrect-authorization-granting-full-api-access
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:30 Oct, 2025 | 22:15
Updated At:06 Nov, 2025 | 16:20

Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked the required API permission were nevertheless able to invoke API endpoints, resulting in unintended access to data and actions exposed via the API. This incorrect authorization check could allow authenticated but non-privileged users to read or modify resources beyond their intended rights.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.18.1HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CPE Matches
Nagios Enterprises, LLC
nagios
>>log_server>>Versions before 2024(exclusive)
cpe:2.3:a:nagios:log_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-863Secondarydisclosure@vulncheck.com
CWE ID: CWE-863
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.nagios.com/changelog/nagios-log-server-2024r1/disclosure@vulncheck.com
Release Notes
https://www.vulncheck.com/advisories/nagios-log-server-incorrect-authorization-granting-full-api-accessdisclosure@vulncheck.com
Third Party Advisory
Hyperlink: https://www.nagios.com/changelog/nagios-log-server-2024r1/
Source: disclosure@vulncheck.com
Resource:
Release Notes
Hyperlink: https://www.vulncheck.com/advisories/nagios-log-server-incorrect-authorization-granting-full-api-access
Source: disclosure@vulncheck.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

103Records found
CVE-2023-34923
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.27% / 50.38%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 00:00
Updated-04 Dec, 2024 | 21:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML Signature Wrapping (XSW) in SAML-based Single Sign-on feature in TOPdesk v12.10.12 allows bad actors with credentials to authenticate with the Identity Provider (IP) to impersonate any TOPdesk user via SAML Response manipulation.

Action-Not Available
Vendor-topdeskn/a
Product-topdeskn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-47183
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.38% / 59.20%
||
7 Day CHG+0.10%
Published-04 Oct, 2024 | 15:06
Updated-25 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Parse Server's custom object ID allows to acquire role privileges

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0.

Action-Not Available
Vendor-parseplatformparse-communityparse_community
Product-parse-serverparse-serverparse_server
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-3066
Matching Score-4
Assigner-Switzerland National Cyber Security Centre (NCSC)
ShareView Details
Matching Score-4
Assigner-Switzerland National Cyber Security Centre (NCSC)
CVSS Score-8.1||HIGH
EPSS-0.09% / 24.81%
||
7 Day CHG+0.02%
Published-05 Jun, 2023 | 08:27
Updated-08 Jan, 2025 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mobatime mobile application - Broken authorisation

Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: through 1.3.20.

Action-Not Available
Vendor-mobatimeMobatime
Product-amxgt_100Mobatime mobile application AMXGT100
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found