Icinga Reporting Stored Cross-Site Scripting Vulnerability Leading to Server-Side Request Forgery
Vulnerability
A stored cross-site scripting vulnerability has been identified in Icinga Reporting, specifically in versions 0.10.0 prior to 1.0.2. This vulnerability allows users to create templates that embed arbitrary JavaScript. When such a template is previewed, the JavaScript executes in the context of the user. Additionally, if a report using the template is printed to PDF, the JavaScript runs in the context of a headless browser, potentially leading to unauthorized actions or data exposure.
Impact
Exploitation of this vulnerability allows for the execution of arbitrary JavaScript, which can be used to perform actions on behalf of the user or the headless browser, depending on the context in which the template is used.
Remediation
Users are advised to upgrade to Icinga Reporting version 1.0.3, which addresses this vulnerability. It is also recommended to review all templates and remove any suspicious settings.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.