GHSA-w9pg-7c3h-fc8j

Source

https://github.com/advisories/GHSA-w9pg-7c3h-fc8j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-w9pg-7c3h-fc8j/GHSA-w9pg-7c3h-fc8j.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-w9pg-7c3h-fc8j

Aliases

CVE-2024-41811

Published

2024-08-05T14:39:09Z

Modified

2024-08-06T14:48:26.849393Z

Severity

5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

ipl/web's `ipl\Web\Common\CsrfCounterMeasure` is susceptible to CSRF

Details

Impact

Some of the recent development by Icinga is, under certain circumstances, susceptible to cross site request forgery. (CSRF)

Affected products:

Icinga Web (>=2.12.0)
Icinga DB Web (>=1.0.0)
Icinga Notifications Web (>=0.1.0)
Icinga Web JIRA Integration (>=1.3.0)

All affected products, in any version, will be unaffected by this once icinga-php-library is upgraded.

Patches

Version 0.10.1 will include a fix for this. It will be published as part of the icinga-php-library v0.14.1 release.

Database specific

{
    "github_reviewed_at": "2024-08-05T14:39:09Z",
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ],
    "nvd_published_at": "2024-08-05T21:15:38Z"
}

References

Affected packages

Packagist / ipl/web

Package

Name: ipl/web
Purl: pkg:composer/ipl/web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.10.1

Affected versions

v0.*

v0.1.0

v0.2.0

v0.2.1

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.7.0

v0.7.1

v0.8.0

v0.9.0

v0.9.1

v0.9.2

v0.10.0