CVE-2024-13996

Description

Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that users password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.