CVSS: 3.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41811 – ipl/web susceptible to Cross-Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2024-41811
ipl/web is a set of common web components for php projects. Some of the recent development by Icinga is, under certain circumstances, susceptible to cross site request forgery. (CSRF). All affected products, in any version, will be unaffected by this once `icinga-php-library` is upgraded. Version 0.10.1 includes a fix for this. • https://github.com/Icinga/ipl-web/commit/492336fdb57a5bb0881ed642ab36f5841337571e https://github.com/Icinga/ipl-web/security/advisories/GHSA-w9pg-7c3h-fc8j • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24819 – icingaweb2-module-incubator base implementation for HTML forms is susceptible to CSRF
https://notcve.org/view.php?id=CVE-2024-24819
icingaweb2-module-incubator is a working project of bleeding edge Icinga Web 2 libraries. In affected versions the class `gipfl\Web\Form` is the base for various concrete form implementations [1] and provides protection against cross site request forgery (CSRF) by default. This is done by automatically adding an element with a CSRF token to any form, unless explicitly disabled, but even if enabled, the CSRF token (sent during a client's submission of a form relying on it) is not validated. This enables attackers to perform changes on behalf of a user which, unknowingly, interacts with a prepared link or website. The version 0.22.0 is available to remedy this issue. • https://github.com/Icinga/icingaweb2-module-incubator/commit/db7dc49585fee0b4e96be666d7f6009a74a1ccb5 https://github.com/Icinga/icingaweb2-module-incubator/security/advisories/GHSA-p8vv-9pqq-rm8p https://github.com/search?q=gipfl%5CWeb%5CForm%3B&type=code • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 1CVE-2024-24820 – Icinga Director configuration is susceptible to Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2024-24820
Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. • https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3mwp-5p5v-j6q3 https://github.com/Icinga/icingaweb2/issues?q=is%3Aissue++is%3Aclosed+4979+4960+4947 https://github.com/nbuchwitz/icingaweb2-module-map/pull/86 https://support.apple.com/en-is/guide/safari/sfri11471/16.0 https://www.chromium.org/updates/same-site • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30607 – icingaweb2-module-jira template and field configuration are susceptible to CSRF
https://notcve.org/view.php?id=CVE-2023-30607
icingaweb2-module-jira provides integration with Atlassian Jira. Starting in version 1.3.0 and prior to version 1.3.2, template and field configuration forms perform the deletion action before user input is validated, including the cross site request forgery token. This issue is fixed in version 1.3.2. There are no known workarounds. • https://github.com/Icinga/icingaweb2-module-jira/commit/7f0c53b7a3e87be2f4c2e8840805d7b7c9762424 https://github.com/Icinga/icingaweb2-module-jira/releases/tag/v1.3.2 https://github.com/Icinga/icingaweb2-module-jira/security/advisories/GHSA-gh7w-7f7j-gwp5 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-24714 – Disclosure of hosts and related data, linked to decommissioned services in Icinga Web 2
https://notcve.org/view.php?id=CVE-2022-24714
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. • https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293 https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf https://security.gentoo.org/glsa/202208-05 • CWE-863: Incorrect Authorization •