GHSA-w9pg-7c3h-fc8j

Suggest an improvement
Source
https://github.com/advisories/GHSA-w9pg-7c3h-fc8j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-w9pg-7c3h-fc8j/GHSA-w9pg-7c3h-fc8j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w9pg-7c3h-fc8j
Aliases
Published
2024-08-05T14:39:09Z
Modified
2024-08-06T14:55:49.722388Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
ipl/web's `ipl\Web\Common\CsrfCounterMeasure` is susceptible to CSRF
Details

Impact

Some of the recent development by Icinga is, under certain circumstances, susceptible to cross site request forgery. (CSRF)

Affected products:

  • Icinga Web (>=2.12.0)
  • Icinga DB Web (>=1.0.0)
  • Icinga Notifications Web (>=0.1.0)
  • Icinga Web JIRA Integration (>=1.3.0)

All affected products, in any version, will be unaffected by this once icinga-php-library is upgraded.

Patches

Version 0.10.1 will include a fix for this. It will be published as part of the icinga-php-library v0.14.1 release.

References

Affected packages

Packagist / ipl/web

Package

Name
ipl/web
Purl
pkg:composer/ipl/web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.10.1

Affected versions

v0.*

v0.1.0
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.5.0
v0.6.0
v0.7.0
v0.7.1
v0.8.0
v0.9.0
v0.9.1
v0.9.2
v0.10.0