Icinga ipl-web Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Icinga ipl-web versions prior to 0.13.1. This issue allows an attacker to inject malicious JavaScript that is executed in the context of the Icinga Web application. The exploitation requires the victim to visit a specially crafted website, and the injected script may go unnoticed immediately.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Remediation

Users can upgrade to Icinga ipl-web version 0.13.1, which addresses this vulnerability. This version will also be included in the upcoming Icinga PHP Library release 0.19.2. Alternatively, Icinga Web users can enable the Content-Security-Policy (CSP) in their general configuration, a feature available since Icinga Web version 2.12.0.