2025-10-30 21:44:26
VulnCheck
PUBLISHED
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that users password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.