CVE-2018-18248

Name of the Vulnerable Software and Affected Versions Icinga Web 2 (affected versions not specified)

Description The issue is related to XSS via several API endpoints, including "/icingaweb2/monitoring/list/services" with the dir parameter, "/icingaweb2/user/list" with the query string, "/icingaweb2/monitoring/timeline" with the query string, and "/icingaweb2/setup" with the query string.

Recommendations As a temporary workaround, consider restricting access to the "/icingaweb2/monitoring/list/services" endpoint with the dir parameter until a patch is available. Restrict access to the "/icingaweb2/user/list" endpoint to minimize the risk of exploitation. Avoid using the query string in the affected "/icingaweb2/monitoring/timeline" endpoint until the issue is resolved. Restrict access to the "/icingaweb2/setup" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.