CVE-2024-41811

ipl/web susceptible to Cross-Site Request Forgery (CSRF)

Severity Score

3.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

ipl/web is a set of common web components for php projects. Some of the recent development by Icinga is, under certain circumstances, susceptible to cross site request forgery. (CSRF). All affected products, in any version, will be unaffected by this once `icinga-php-library` is upgraded. Version 0.10.1 includes a fix for this. It will be published as part of the `icinga-php-library` v0.14.1 release.

*Credits: N/A

CVSS Scores

GitHubv3.1 3.9

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-22 CVE Reserved
2024-08-05 CVE Published
2024-08-06 CVE Updated
2024-08-06 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC

References (2)

URL	Tag	Source
https://github.com/Icinga/ipl-web/commit/492336fdb57a5bb0881ed642ab36f5841337571e	X_refsource_misc
https://github.com/Icinga/ipl-web/security/advisories/GHSA-w9pg-7c3h-fc8j	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Icinga Search vendor "Icinga"		Ipl-web Search vendor "Icinga" for product "Ipl-web"				< 0.10.1 Search vendor "Icinga" for product "Ipl-web" and version " < 0.10.1"		en		Affected