3 results (0.006 seconds)

CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 1

Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. • https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3mwp-5p5v-j6q3 https://github.com/Icinga/icingaweb2/issues?q=is%3Aissue++is%3Aclosed+4979+4960+4947 https://github.com/nbuchwitz/icingaweb2-module-map/pull/86 https://support.apple.com/en-is/guide/safari/sfri11471/16.0 https://www.chromium.org/updates/same-site • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

Icinga Core through 1.14.0 initially executes bin/icinga as root but supports configuration options in which this file is owned by a non-root account (and similarly can have etc/icinga.cfg owned by a non-root account), which allows local users to gain privileges by leveraging access to this non-root account, a related issue to CVE-2017-14312. This also affects bin/icingastats, bin/ido2db, and bin/log2ido. Icinga Core hasta la versión 1.14.0 ejecuta inicialmente bin/icinga como root, pero es compatible con opciones de configuración en las cuales este archivo es propiedad de una cuenta sin root (y, de forma similar, puede poseer etc/icinga.cfg sin root), lo que permite que usuarios locales obtengan privilegios aprovechando el acceso a esta cuenta sin root. Este problema está relacionado con CVE-2017-14312. Esto también afecta a bin/icingastats, bin/ido2db y bin/log2ido. • https://github.com/Icinga/icinga-core/issues/1601 https://security.gentoo.org/glsa/202007-31 • CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0

Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the query string to cgi-bin/status.cgi. Vulnerabilidad de XSS en el Classic-UI con el enlace de exportación CSV y la funcionalidad de paginación en Icinga en versiones anteriores a 1.14 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la cadena de consulta a cgi-bin/status.cgi. • http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00019.html http://www.openwall.com/lists/oss-security/2015/10/23/15 http://www.openwall.com/lists/oss-security/2015/10/29/15 http://www.securityfocus.com/bid/97145 https://github.com/Icinga/icinga-core/issues/1563 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •