Icinga Web 2
CVE-2018-18246
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module.
AnalysisAI
Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module. Affected products include: Icinga Icinga Web 2. Version information: before 2.6.2.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
More in Icinga Web 2
View allIcinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker
Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as
Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string,
Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter. Rated medium severity (CVSS 5.4), t
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated medium severity (CV
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated medium severity (CV
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated low severity (CVSS
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today