usd-2018-0028 | Icinga Web 2/2.6.1

Advisory ID: usd-2018-0028
CVE number: CVE-2018-18248
Affected Product: Icinga Web 2
Affected Version: 2.6.1
Vulnerability Type: Reflected XSS
Security Risk: medium
Vendor URL:
Vendor Status: Won’t fix


Reflected XSS attack (or non-persistent attack) occur when a malicious script is reflected off of a web application to the victim’s browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.

Proof of Concept (PoC)

Icinga Web 2 does not properly validate and encode parameters received through HTTP GET requests. When the following URLs are requested by an authenticated user the HTTP response will contain malicious JavaScript:




The following URL requires the setup module to be enabled but does not require the victim to be authenticated:


Since the payloads is introduced through the URL, some modern browsers will encode the special characters (´'“ etc.) or detect the XSS attempt and block the request. This should mitigate the effects of this vulnerability in most real-world cases.



Make sure to validate the user supplied input and encode the output.


  • 2018-09-12 First contact request via
  • 2018-10-02 Vendor received advisories via
  • 2018-10-11 CVE-ID requested
  • 2018-10-12 received CVE ID and notified vendor about it
  • 2018-11-08 vendor states that they won’t fix the vulnerability as in their opinion it is already handled reasonable by browsers
  • 2018-11-09 extended public disclosure deadline to 2018-11-25
  • 2018-12-07 Security advisory released


These security vulnerabilities were found by Maximilian Boehner of usd AG.

The X-OWA-UrlPostData header could be decoded to the following: