Impact
The vulnerability allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user.
Patches
This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2.
Workarounds
If you have Icinga Web 2.12.2, enable CSP in the application settings.
Any modern browser with a working CORS implementation also sufficiently guards against it.
moezbouzayani9 Finder
Impact
The vulnerability allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user.
Patches
This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2.
Workarounds
If you have Icinga Web 2.12.2, enable CSP in the application settings.
Any modern browser with a working CORS implementation also sufficiently guards against it.