Nilmerg

**Name of the Vulnerable Software and Affected Versions** Icinga Web versions prior to 0.13.1 **Description** An issue allows an attacker to inject malicious Javascript into a victim's browser to execute it within the context of Icinga Web. This occurs when a victim visits a specifically prepared website, potentially without noticing any suspicious activity. **Recommendations** Update to version 0.13.1. Enable the Content-Security-Policy (CSP) in the general configuration of Icinga Web.

**Name of the Vulnerable Software and Affected Versions** Icinga DB Web versions 1.2.0 through 1.2.1 **Description** Icinga DB Web, a graphical interface for Icinga monitoring, allows users with access to Icinga Dependency Views to view hosts and services they are not authorized to access on the dependency map. The name of the object is not revealed, and access to detail views is not granted. This issue affects the `filter/hosts` and `filter/services` restrictions. **Recommendations** Downgrade to version 1.1.3. Update to version 1.2.2.

**Name of the Vulnerable Software and Affected Versions** Icinga Web versions 2.12.0 and later Icinga DB Web versions 1.0.0 and later Icinga Notifications Web versions 0.1.0 and later Icinga Web JIRA Integration versions 1.3.0 and later **Description** The issue is related to cross-site request forgery (CSRF) under certain circumstances. All affected products will be unaffected once the `icinga-php-library` is upgraded. **Recommendations** For Icinga Web versions 2.12.0 and later, upgrade the `icinga-php-library` to version 0.10.1 or later, which will be published as part of the `icinga-php-library` v0.14.1 release. For Icinga DB Web versions 1.0.0 and later, upgrade the `icinga-php-library` to version 0.10.1 or later, which will be published as part of the `icinga-php-library` v0.14.1 release. For Icinga Notifications Web versions 0.1.0 and later, upgrade the `icinga-php-library` to version 0.10.1 or later, which will be published as part of the `icinga-php-library` v0.14.1 release. For Icinga Web JIRA Integration versions 1.3.0 and later, upgrade the `icinga-php-library` to version 0.10.1 or later, which will be published as part of the `icinga-php-library` v0.14.1 release.

**Name of the Vulnerable Software and Affected Versions** icingaweb2-module-incubator versions prior to 0.22.0 **Description** The issue concerns the class `gipflWebForm`, which is the base for various concrete form implementations and provides protection against cross-site request forgery (CSRF) by default. However, even if enabled, the CSRF token sent during a client's submission of a form relying on it is not validated. This enables attackers to perform changes on behalf of a user who unknowingly interacts with a prepared link or website. **Recommendations** For versions prior to 0.22.0, upgrade to version 0.22.0 to remedy the issue. As a temporary workaround, consider disabling the `gipflWebForm` class until a patch is available. However, since there are no known workarounds for this vulnerability, upgrading to the fixed version is the recommended course of action.

**Name of the Vulnerable Software and Affected Versions** icingaweb2-module-jira versions 1.3.0 through 1.3.2 **Description** The issue affects the integration with Atlassian Jira, where template and field configuration forms perform deletion actions before validating user input, including the cross-site request forgery token. This allows for potential unauthorized actions. The problem is fixed in version 1.3.2. **Recommendations** For versions 1.3.0 through 1.3.1, update to version 1.3.2 to resolve the issue. For version 1.3.2, no action is required as this version already contains the fix.

**Name of the Vulnerable Software and Affected Versions** Icinga Web 2 versions prior to 2.8.6 Icinga Web 2 versions prior to 2.9.6 Icinga Web 2 versions prior to 2.10 **Description** Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. **Recommendations** For versions prior to 2.8.6, update to version 2.8.6 or later. For versions prior to 2.9.6, update to version 2.9.6 or later. For versions prior to 2.10, update to version 2.10 or later. As a temporary workaround for users unable to upgrade, limit access to the Icinga Web 2 configuration.

**Name of the Vulnerable Software and Affected Versions** Icinga Web 2 versions prior to 2.8.6 Icinga Web 2 versions prior to 2.9.6 Icinga Web 2 versions prior to 2.10 **Description** Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. **Recommendations** For Icinga Web 2 versions prior to 2.8.6, update to version 2.8.6 or later. For Icinga Web 2 versions prior to 2.9.6, update to version 2.9.6 or later. For Icinga Web 2 versions prior to 2.10, update to version 2.10 or later.

**Name of the Vulnerable Software and Affected Versions** Icinga Web 2 versions 2.0.0 through 2.8.2 **Description** A vulnerability exists in Icinga Web 2 where custom variables are exposed to unauthorized users. Custom variables are user-defined keys and values on configuration objects in Icinga 2, commonly used to reference secrets in other configurations. Icinga Web 2 displays these custom variables to logged-in users with access to said hosts or services. Protection rules and blacklists can be set up to protect the secrets, but these have no effect when custom variables are accessed using an undocumented URL parameter. This parameter allows custom variables to be shown as-is in the result, even when exporting to JSON or CSV. **Recommendations** For versions 2.0.0 through 2.8.2, update to version 2.9.0, 2.8.3, or 2.7.5 to resolve the issue. As a temporary workaround, set up a restriction to hide hosts and services with the custom variable in question.

**Name of the Vulnerable Software and Affected Versions** Icinga Web 2 versions 2.3.0 through 2.8.2 **Description** The issue in Icinga Web 2's `doc` module allows an attacker to gain access to arbitrary files readable by the web-server user by visiting a certain route. The `doc` module must be manually enabled by an administrator, and users need explicit access permission to use it. This issue can be exploited remotely, allowing an attacker to access confidential data. **Recommendations** For versions 2.3.0 through 2.8.2, update to version 2.9.0, 2.8.3, or 2.7.5 to resolve the issue. As a temporary workaround, consider disabling the `doc` module or revoking permission to use it from all users.