CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 1CVE-2020-24368 – Gentoo Linux Security Advisory 202208-05
https://notcve.org/view.php?id=CVE-2020-24368
19 Aug 2020 — Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2. Icinga Icinga Web 2 versiones 2.0.0 hasta 2.6.4, 2.7.4 y 2.8.2, presenta una vulnerabilidad de Salto de Directorio que permite a un atacante acceder a archivos arbitrarios que son legibles por el proceso que ejecuta Icinga Web 2. Este problema ... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00026.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-14004
https://notcve.org/view.php?id=CVE-2020-14004
12 Jun 2020 — An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged icinga2 user. Se detectó un problema en Icinga2 versiones anteriores a v2.12.0-rc1. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00014.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18246
https://notcve.org/view.php?id=CVE-2018-18246
17 Dec 2018 — Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module. Icinga Web 2 en versiones anteriores a la 2.6.2 tiene CSRF mediante /icingaweb2/config/moduledisable?name=monitoring para deshabilitar el módulo de monitorización o mediante /icingaweb2/config/moduleenable? • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00031.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18247
https://notcve.org/view.php?id=CVE-2018-18247
17 Dec 2018 — Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter. Icinga Web 2 en versiones anteriores a la 2.6.2 tiene Cross-Site Scripting (XSS) mediante el parámetro icon en /icingaweb2/navigation/add. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00031.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18248
https://notcve.org/view.php?id=CVE-2018-18248
17 Dec 2018 — Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string. Icinga Web 2 tiene Cross-Site Scripting (XSS) mediante el parámetro dir en /icingaweb2/monitoring/list/services o las cadenas de consulta /icingaweb2/user/list, /icingaweb2/monitoring/timeline o /icingaweb2/setup. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00031.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18249
https://notcve.org/view.php?id=CVE-2018-18249
17 Dec 2018 — Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet. Icinga Web 2 en versiones anteriores a la 2.6.2 permite la inyección de directivas PHP ini-file mediante vectores relacionados con el uso de variables de entorno como canal para el envío de información al ata... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00031.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18250
https://notcve.org/view.php?id=CVE-2018-18250
17 Dec 2018 — Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as the Name of a Navigation item. Icinga Web 2 en versiones anteriores a la 2.6.2 permite parámetros que rompen los dashlets de navegación, tal y como queda demostrado con un único carácter "$" como nombre de un ítem Navigation. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00031.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6532
https://notcve.org/view.php?id=CVE-2018-6532
27 Feb 2018 — An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted (authenticated and unauthenticated) requests, an attacker can exhaust a lot of memory on the server side, triggering the OOM killer. Se ha descubierto un problema en Icinga, en versiones 2.x hasta la 2.8.1. Mediante el envío de peticiones (autenticadas y no autenticadas) especialmente manipuladas, un atacante puede agotar mucha memoria del lado del servidor, desencadenando el killer OOM. • https://github.com/Icinga/icinga2/pull/6103 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6533
https://notcve.org/view.php?id=CVE-2018-6533
27 Feb 2018 — An issue was discovered in Icinga 2.x through 2.8.1. By editing the init.conf file, Icinga 2 can be run as root. Following this the program can be used to run arbitrary code as root. This was fixed by no longer using init.conf to determine account information for any root-executed code (a larger issue than CVE-2017-16933). Se ha descubierto un problema en Icinga, en versiones 2.x hasta la 2.8.1. • https://github.com/Icinga/icinga2/pull/5850 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6534
https://notcve.org/view.php?id=CVE-2018-6534
27 Feb 2018 — An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted messages, an attacker can cause a NULL pointer dereference, which can cause the product to crash. Se ha descubierto un problema en Icinga, en versiones 2.x hasta la 2.8.1. Al enviar mensajes especialmente manipulados, un atacante puede provocar una desreferencia de puntero NULL, lo que puede hacer que el producto se cierre inesperadamente. • https://github.com/Icinga/icinga2/pull/6104 • CWE-476: NULL Pointer Dereference •