Icinga 'expand' Parameter Cross-Site Scripting Vulnerability Network Vulnerability

Summary

This host is running Icinga and is prone to cross site scripting vulnerability.

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to Icinga versions 1.4.1 or later. For updates refer to http://www.icinga.org/download/

Insight

The flaw is caused by improper validation of user-supplied input passed via the 'expand' parameter in cgi-bin/config.cgi, which allows attackers to execute arbitrary HTML and script code on the web server.

Affected

Icinga versions 1.4.0 and prior.

References

http://packetstormsecurity.org/files/view/101904/SSCHADV2011-005.txt
http://www.securityfocus.com/archive/1/518218
https://dev.icinga.org/issues/1605

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-2179

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

AdaptCMS Lite Cross Site Scripting and Remote File Include Vulnerabilities
Adiscon LogAnalyzer 'highlight' Parameter Cross Site Scripting Vulnerability
Adobe ColdFusion Unspecified Information Disclosure Vulnerability
123 Flash Chat Multiple Security Vulnerabilities
AN Guestbook Local File Inclusion Vulnerability

Take action and discover your vulnerabilities