Cross-Site Request Forgery Vulnerability Affects Icinga Web 2 Versions
CVE-2024-24819

5.3MEDIUM

Key Information:

Vendor

Icinga

Status
Icingaweb2-module-incubator
Vendor
CVE Published:
9 February 2024

What is CVE-2024-24819?

The icingaweb2-module-incubator is a project that encompasses cutting-edge Icinga Web 2 libraries. In specific vulnerable versions, the class gipfl\Web\Form, which normally offers built-in cross-site request forgery (CSRF) protection, unintentionally allows for inadequate validation of CSRF tokens. Although a CSRF token is automatically included in forms, the system does not validate the token upon submission, enabling an attacker to manipulate actions on behalf of unsuspecting users. To safeguard against this vulnerability, users must update to at least version 0.22.0, as there are currently no known workarounds available.

Affected Version(s)

icingaweb2-module-incubator >= 0.1.0, < 0.22.0

References

https://github.com/Icinga/icingaweb2-module-incubator/sec...
x_refsource_CONFIRM
https://github.com/Icinga/icingaweb2-module-incubator/com...
x_refsource_MISC
https://github.com/search?q=gipfl%5CWeb%5CForm%3B&type=code
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.