cbcvebase.
CVE-2018-18248
published 2018-12-17

CVE-2018-18248: Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline…

PriorityP424medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
0.72%
49.2th percentile
Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string.

Affected

9 ranges
VendorProductVersion rangeFixed in
applecups>= 0 < 1.7.2-0ubuntu1.101.7.2-0ubuntu1.10
applecups>= 0 < 2.1.3-4ubuntu0.52.1.3-4ubuntu0.5
applecups>= 0 < 2.2.7-1ubuntu2.12.2.7-1ubuntu2.1
debianicingaweb2< icingaweb2 2.6.2-1 (bookworm)icingaweb2 2.6.2-1 (bookworm)
icingaicinga_web_2
icingaicingaweb2>= 0 < 2.6.2-12.6.2-1
icingaicingaweb2>= 0 < 2.6.2-12.6.2-1
icingaicingaweb2>= 0 < 2.6.2-12.6.2-1
icingaicingaweb2>= 0 < 2.6.2-12.6.2-1

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.