Today we announce a security update for Icinga PHP Library. It solves a severe cross-site scripting attack vulnerability and affects multiple Icinga products at once. It has been published as GHSA-55wf-5m3q-6jjf.
Installing the update v0.19.2 as soon as possible is highly recommended. Packages are available now.
An attacker needs to lure a victim on any familiar looking but malicious website and the attack can be prepared in the background, causing a browser tab to open, leading the user to a compromised instance of Icinga Web.
In case CSP (Content-Security-Policy) is enabled in Icinga Web (available since v2.12.0) or a browser is in use that provides a default value for the cookie attribute SameSite other than None, the attack can be effectively mitigated.
