Ricardo

**Name of the Vulnerable Software and Affected Versions** Icinga versions prior to 1.14 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the Classic-UI, specifically with the CSV export link and pagination feature. This allows remote attackers to inject arbitrary web script or HTML via the query string to the "cgi-bin/status.cgi" endpoint. **Recommendations** For versions prior to 1.14, update to version 1.14 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Icinga versions prior to 1.8.5 Icinga versions prior to 1.9.4 Icinga versions prior to 1.10.2 **Description** The issue allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a long string to certain functions, including `display nav table`, `page limit selector`, `print export link`, `page num selector`, `status page num selector`, and `display command expansion`. It can also be exploited without authentication by leveraging another vulnerability. **Recommendations** For Icinga versions prior to 1.8.5, update to version 1.8.5 or later. For Icinga versions prior to 1.9.4, update to version 1.9.4 or later. For Icinga versions prior to 1.10.2, update to version 1.10.2 or later. As a temporary workaround, consider restricting access to the `cgi/cgiutils.c`, `cgi/status.c`, and `cgi/config.c` files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Icinga versions 1.8.5 and earlier Icinga versions 1.9.4 and earlier Icinga versions 1.10.2 and earlier **Description** A cross-site request forgery (CSRF) issue in cmd.cgi allows remote attackers to hijack user authentication for unspecified commands. This can be exploited via unspecified vectors. The vulnerability may lead to disruption of confidentiality, integrity, and availability of protected information. Exploitation can be done remotely. **Recommendations** For Icinga version 1.8.5 and earlier, update to a version that fixes the CSRF vulnerability in cmd.cgi. For Icinga version 1.9.4 and earlier, update to a version that fixes the CSRF vulnerability in cmd.cgi. For Icinga version 1.10.2 and earlier, update to a version that fixes the CSRF vulnerability in cmd.cgi. As a temporary workaround, consider restricting access to cmd.cgi to minimize the risk of exploitation.