CVE-2015-8010

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Classic-UI component of Icinga before version 1.14. The bug resides in the CSV export link and pagination feature, where the function parsing the QUERY_STRING environment variable does not properly sanitize input before reflecting it in the HTML output. This allows an attacker to inject arbitrary web script or HTML via the query string to /cgi-bin/status.cgi [1][2]. The vulnerability was introduced in version 1.3 and affects all versions up to 1.13.3 [2][3].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL with a query string containing XSS payload. For example: http://classic.demo.icinga.org/icinga/cgi-bin/status.cgi?host=all&'onmouseover='prompt(25435);'bad=' [2]. No authentication or special privileges are required; the attacker only needs to lure a victim into clicking the crafted link or visiting a page that triggers the vulnerable functionality [1][2].

Impact

Successful exploitation results in arbitrary JavaScript execution in the context of the victim's browser session. This can lead to information disclosure, session hijacking, defacement, or other actions that the authenticated user can perform. The impact is limited to the Classic-UI interface and depends on the privileges of the targeted user [2][3].

Mitigation

The vulnerability is fixed in Icinga version 1.14, released on or around 2015-10-30 [3]. The fix sanitizes the QUERY_STRING parsing by reworking the getcgivars() function so that parsed CGI parameters are properly handled and output encoding is applied [3]. Users should upgrade to Icinga 1.14 or later. No workaround is provided for older versions; if upgrading is not possible, restrict access to the Classic-UI and avoid using untrusted query strings [1][3].