CVE-2018-18248
published 2018-12-17CVE-2018-18248: Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline…
PriorityP424medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
0.72%
49.2th percentile
Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | cups | >= 0 < 1.7.2-0ubuntu1.10 | 1.7.2-0ubuntu1.10 |
| apple | cups | >= 0 < 2.1.3-4ubuntu0.5 | 2.1.3-4ubuntu0.5 |
| apple | cups | >= 0 < 2.2.7-1ubuntu2.1 | 2.2.7-1ubuntu2.1 |
| debian | icingaweb2 | < icingaweb2 2.6.2-1 (bookworm) | icingaweb2 2.6.2-1 (bookworm) |
| icinga | icinga_web_2 | — | — |
| icinga | icingaweb2 | >= 0 < 2.6.2-1 | 2.6.2-1 |
| icinga | icingaweb2 | >= 0 < 2.6.2-1 | 2.6.2-1 |
| icinga | icingaweb2 | >= 0 < 2.6.2-1 | 2.6.2-1 |
| icinga | icingaweb2 | >= 0 < 2.6.2-1 | 2.6.2-1 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xx3p-ffq8-9pcp: Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/ti
ghsa_unreviewed·2022-05-13
CVE-2018-18248 [MEDIUM] CWE-79 GHSA-xx3p-ffq8-9pcp: Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/ti
Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string.
OSV
CVE-2018-18248: Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/ti
osv·2018-12-17·CVSS 6.1
CVE-2018-18248 [MEDIUM] CVE-2018-18248: Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/ti
Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string.
OSV
cups vulnerabilities
osv·2018-07-11·CVSS 5.3
CVE-2017-18248 cups vulnerabilities
cups vulnerabilities
It was discovered that CUPS incorrectly handled certain print jobs with
invalid usernames. A remote attacker could possibly use this issue to cause
CUPS to crash, resulting in a denial of service. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2017-18248)
Dan Bastone discovered that the CUPS dnssd backend incorrectly handled
certain environment variables. A local attacker could possibly use this
issue to escalate privileges. (CVE-2018-4180)
Eric Rafaloff and John Dunlap discovered that CUPS incorrectly handled
certain include directives. A local attacker could possibly use this issue
to read arbitrary files. (CVE-2018-4181)
Dan Bastone discovered that the CUPS AppArmor profile incorrectly confined
the dnssd backend. A local attac
Debian
CVE-2018-18248: icingaweb2 - Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter,...
vendor_debian·2018·CVSS 6.1
CVE-2018-18248 [MEDIUM] CVE-2018-18248: icingaweb2 - Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter,...
Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string.
Scope: local
bookworm: resolved (fixed in 2.6.2-1)
bullseye: resolved (fixed in 2.6.2-1)
forky: resolved (fixed in 2.6.2-1)
sid: resolved (fixed in 2.6.2-1)
trixie: resolved (fixed in 2.6.2-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-12-17
Published