CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18246
https://notcve.org/view.php?id=CVE-2018-18246
Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module. Icinga Web 2 en versiones anteriores a la 2.6.2 tiene CSRF mediante /icingaweb2/config/moduledisable?name=monitoring para deshabilitar el módulo de monitorización o mediante /icingaweb2/config/moduleenable? • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00031.html https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180027.txt • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18247
https://notcve.org/view.php?id=CVE-2018-18247
Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter. Icinga Web 2 en versiones anteriores a la 2.6.2 tiene Cross-Site Scripting (XSS) mediante el parámetro icon en /icingaweb2/navigation/add. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00031.html https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180029.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18248
https://notcve.org/view.php?id=CVE-2018-18248
Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string. Icinga Web 2 tiene Cross-Site Scripting (XSS) mediante el parámetro dir en /icingaweb2/monitoring/list/services o las cadenas de consulta /icingaweb2/user/list, /icingaweb2/monitoring/timeline o /icingaweb2/setup. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00031.html https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180028.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18250
https://notcve.org/view.php?id=CVE-2018-18250
Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as the Name of a Navigation item. Icinga Web 2 en versiones anteriores a la 2.6.2 permite parámetros que rompen los dashlets de navegación, tal y como queda demostrado con un único carácter "$" como nombre de un ítem Navigation. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00031.html https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180030.txt • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18249
https://notcve.org/view.php?id=CVE-2018-18249
Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet. Icinga Web 2 en versiones anteriores a la 2.6.2 permite la inyección de directivas PHP ini-file mediante vectores relacionados con el uso de variables de entorno como canal para el envío de información al atacante, como el parámetro name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} en /icingaweb2/navigation/add o /icingaweb2/dashboard/new-dashlet. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00031.html https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180030.txt • CWE-94: Improper Control of Generation of Code ('Code Injection') •