CVE-2018-18247 Common Vulnerabilities and Exposures

Upstream information

CVE-2018-18247 at MITRE

Description

Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter.

SUSE information

Overall state of this security issue: Resolved

This issue is currently not rated by SUSE as it is not affecting the SUSE Enterprise products.

CVSS v2 Scores
	National Vulnerability Database
Base Score	3.5
Vector	AV:N/AC:M/Au:S/C:N/I:P/A:N
Access Vector	Network
Access Complexity	Medium
Authentication	Single
Confidentiality Impact	None
Integrity Impact	Partial
Availability Impact	None

CVSS v3 Scores
	National Vulnerability Database
Base Score	5.4
Vector	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	Required
Scope	Changed
Confidentiality Impact	Low
Integrity Impact	Low
Availability Impact	None
CVSSv3 Version	3

SUSE Bugzilla entry: 1119785 [RESOLVED / WONTFIX]

SUSE Security Advisories:

openSUSE-SU-2020:0067-1, published Thu Dec 7 12:55:39 2023

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 12	`icingacli >= 2.7.3-9.1` `icingaweb2 >= 2.7.3-9.1` `icingaweb2-common >= 2.7.3-9.1` `icingaweb2-vendor-HTMLPurifier >= 2.7.3-9.1` `icingaweb2-vendor-JShrink >= 2.7.3-9.1` `icingaweb2-vendor-Parsedown >= 2.7.3-9.1` `icingaweb2-vendor-dompdf >= 2.7.3-9.1` `icingaweb2-vendor-lessphp >= 2.7.3-9.1` `icingaweb2-vendor-zf1 >= 2.7.3-9.1` `php-Icinga >= 2.7.3-9.1`	Patchnames: openSUSE-2020-67
SUSE Package Hub 15 SP1	`icingacli >= 2.7.3-bp151.5.3.1` `icingaweb2 >= 2.7.3-bp151.5.3.1` `icingaweb2-common >= 2.7.3-bp151.5.3.1` `icingaweb2-vendor-HTMLPurifier >= 2.7.3-bp151.5.3.1` `icingaweb2-vendor-JShrink >= 2.7.3-bp151.5.3.1` `icingaweb2-vendor-Parsedown >= 2.7.3-bp151.5.3.1` `icingaweb2-vendor-dompdf >= 2.7.3-bp151.5.3.1` `icingaweb2-vendor-lessphp >= 2.7.3-bp151.5.3.1` `icingaweb2-vendor-zf1 >= 2.7.3-bp151.5.3.1` `php-Icinga >= 2.7.3-bp151.5.3.1`	Patchnames: openSUSE-2020-67
SUSE Package Hub 15	`icingacli >= 2.7.3-bp150.2.7.1` `icingaweb2 >= 2.7.3-bp150.2.7.1` `icingaweb2-common >= 2.7.3-bp150.2.7.1` `icingaweb2-vendor-HTMLPurifier >= 2.7.3-bp150.2.7.1` `icingaweb2-vendor-JShrink >= 2.7.3-bp150.2.7.1` `icingaweb2-vendor-Parsedown >= 2.7.3-bp150.2.7.1` `icingaweb2-vendor-dompdf >= 2.7.3-bp150.2.7.1` `icingaweb2-vendor-lessphp >= 2.7.3-bp150.2.7.1` `icingaweb2-vendor-zf1 >= 2.7.3-bp150.2.7.1` `php-Icinga >= 2.7.3-bp150.2.7.1`	Patchnames: openSUSE-2020-67
openSUSE Leap 15.0	`icingacli >= 2.7.3-lp150.4.7.1` `icingaweb2 >= 2.7.3-lp150.4.7.1` `icingaweb2-common >= 2.7.3-lp150.4.7.1` `icingaweb2-vendor-HTMLPurifier >= 2.7.3-lp150.4.7.1` `icingaweb2-vendor-JShrink >= 2.7.3-lp150.4.7.1` `icingaweb2-vendor-Parsedown >= 2.7.3-lp150.4.7.1` `icingaweb2-vendor-dompdf >= 2.7.3-lp150.4.7.1` `icingaweb2-vendor-lessphp >= 2.7.3-lp150.4.7.1` `icingaweb2-vendor-zf1 >= 2.7.3-lp150.4.7.1` `php-Icinga >= 2.7.3-lp150.4.7.1`	Patchnames: openSUSE-2020-67
openSUSE Leap 15.1	`icingacli >= 2.7.3-lp151.6.5.1` `icingaweb2 >= 2.7.3-lp151.6.5.1` `icingaweb2-common >= 2.7.3-lp151.6.5.1` `icingaweb2-vendor-HTMLPurifier >= 2.7.3-lp151.6.5.1` `icingaweb2-vendor-JShrink >= 2.7.3-lp151.6.5.1` `icingaweb2-vendor-Parsedown >= 2.7.3-lp151.6.5.1` `icingaweb2-vendor-dompdf >= 2.7.3-lp151.6.5.1` `icingaweb2-vendor-lessphp >= 2.7.3-lp151.6.5.1` `icingaweb2-vendor-zf1 >= 2.7.3-lp151.6.5.1` `php-Icinga >= 2.7.3-lp151.6.5.1`	Patchnames: openSUSE-2020-67
openSUSE Tumbleweed	`icingacli >= 2.8.4-1.6` `icingaweb2 >= 2.8.4-1.6` `icingaweb2-common >= 2.8.4-1.6` `icingaweb2-vendor-HTMLPurifier >= 2.8.4-1.6` `icingaweb2-vendor-JShrink >= 2.8.4-1.6` `icingaweb2-vendor-Parsedown >= 2.8.4-1.6` `icingaweb2-vendor-dompdf >= 2.8.4-1.6` `icingaweb2-vendor-lessphp >= 2.8.4-1.6` `icingaweb2-vendor-zf1 >= 2.8.4-1.6` `php-Icinga >= 2.8.4-1.6`	Patchnames: openSUSE Tumbleweed GA icingacli-2.8.4-1.6

SUSE Timeline for this CVE

CVE page created: Tue Dec 18 05:44:20 2018
CVE page last modified: Thu Dec 7 13:23:49 2023