CVE-2018-18248 — Cross-site Scripting in WEB 2

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 52.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icinga Icingaweb2 Icinga WEB 2

Timeline

PublishedDec 17

Latest updateMay 13

Description

Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶Debianicinga/icingaweb2< 2.6.2-1+3

▶NVDicinga/icinga_web_22.6.1

🔴Vulnerability Details

GHSA

GHSA-xx3p-ffq8-9pcp: Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/ti↗2022-05-13

▶

CVEList

CVE-2018-18248: Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/ti↗2018-12-17

▶

OSV

CVE-2018-18248: Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/ti↗2018-12-17

▶

OSV

cups vulnerabilities↗2018-07-11

▶

📋Vendor Advisories

Debian

CVE-2018-18248: icingaweb2 - Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter,...↗2018

▶