usd-2018-0028 | Icinga Web 2/2.6.1
Advisory ID: usd-2018-0028
CVE number: CVE-2018-18248
Affected Product: Icinga Web 2
Affected Version: 2.6.1
Vulnerability Type: Reflected XSS
Security Risk: medium
Vendor URL: https://www.icinga.com/
Vendor Status: Won’t fix
Reflected XSS attack (or non-persistent attack) occur when a malicious script is reflected off of a web application to the victim’s browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.
Proof of Concept (PoC)
The following URL requires the setup module to be enabled but does not require the victim to be authenticated:
Since the payloads is introduced through the URL, some modern browsers will encode the special characters (´’“ etc.) or detect the XSS attempt and block the request. This should mitigate the effects of this vulnerability in most real-world cases.
Make sure to validate the user supplied input and encode the output.
- 2018-09-12 First contact request via firstname.lastname@example.org
- 2018-10-02 Vendor received advisories via email@example.com
- 2018-10-11 CVE-ID requested
- 2018-10-12 received CVE ID and notified vendor about it
- 2018-11-08 vendor states that they won’t fix the vulnerability as in their opinion it is already handled reasonable by browsers
- 2018-11-09 extended public disclosure deadline to 2018-11-25
- 2018-12-07 Security advisory released
These security vulnerabilities were found by Maximilian Boehner of usd AG.
The X-OWA-UrlPostData header could be decoded to the following: