Cross-Site Scripting Vulnerability in Icinga Web 2 by Icinga
CVE-2018-18247

5.4MEDIUM

Key Information:

Vendor: Icinga
Status: Icinga Web 2
Vendor: CVE Published:; 17 December 2018

What is CVE-2018-18247?

Icinga Web 2 versions prior to 2.6.2 are susceptible to a cross-site scripting (XSS) vulnerability. This issue arises from inadequate input validation of the 'icon' parameter in the '/icingaweb2/navigation/add' endpoint. Malicious actors can exploit this vulnerability to execute arbitrary JavaScript code in the context of a victim's browser, potentially stealing sensitive information or performing actions on behalf of the user without their consent. It is crucial for users to upgrade to the latest version to mitigate this security risk.

References

https://herolab.usd.de/wp-content/uploads/sites/4/2018/12...

x_refsource_MISC

http://lists.opensuse.org/opensuse-security-announce/2020...

vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 17, 2018
Vulnerability Reserved
Oct 11, 2018

CVE-2018-18247 Data

JSON