CVE-2024-13995: 
Nagios XI vulnerability analysis and mitigation

Nagios XI versions prior to 2024R1.1.2 contains an information disclosure vulnerability that affects authenticated users. The vulnerability was discovered in versions 2024R1.1 and 2024R1.1.1, where sensitive user account information, including API keys and hashed passwords, could be exposed to authenticated users who should not have access to such data (VulnCheck Advisory).

The vulnerability is tracked as CVE-2024-13995 and has been assigned CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). It has received a CVSS v4.0 base score of 7.1 HIGH with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 8.8 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to serious security implications including account compromise, abuse of API privileges, and potential offline password cracking attempts due to the exposure of hashed passwords (VulnCheck Advisory).

Users should upgrade to Nagios XI version 2024R1.1.2 or later to address this vulnerability. This version contains the necessary security fixes to prevent unauthorized access to sensitive user account information (Nagios Changelog).