Bug 952777 (CVE-2015-8010) - VUL-0: CVE-2015-8010: icinga: XSS in Icinga Classic-UI
Summary: VUL-0: CVE-2015-8010: icinga: XSS in Icinga Classic-UI
Status: RESOLVED FIXED
Alias: CVE-2015-8010
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Lars Vogdt
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/158393/
Whiteboard: CVSSv2:NVD:CVE-2015-8010:4.3:(AV:N/AC...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-30 08:47 UTC by Johannes Segitz
Modified: 2019-06-07 15:52 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-10-30 08:47:53 UTC 
CVE-2015-8010

From: Ricardo (no last name) on OSS

there is is a XSS vulnerability in Icinga Classic-UI 1.13.3.

This got originally introduced with this issue https://dev.icinga.org/issues/593 and version 1.3.

Example: http://classic.demo.icinga.org/icinga/cgi-bin/status.cgi?host=all&'onmouseover='prompt(25435);'bad='

More infos can be found in this issue: https://dev.icinga.org/issues/10453

======

Found by T-Systems Germany

openSUSE 13.1, 13.2, 42, Factory and SLE 12 affected

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8010
http://seclists.org/oss-sec/2015/q4/196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8010
Comment 1 Swamp Workflow Management 2015-10-30 23:00:15 UTC 
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2017-01-16 18:15:28 UTC 
openSUSE-SU-2017:0146-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1014637,952777
CVE References: CVE-2015-8010,CVE-2016-9566
Sources used:
openSUSE Leap 42.2 (src):    icinga-1.14.0-4.1
openSUSE Leap 42.1 (src):    icinga-1.14.0-3.1
Comment 4 Bernhard Wiedemann 2017-12-01 23:40:18 UTC 
This is an autogenerated message for OBS integration:
This bug (952777) was mentioned in
https://build.opensuse.org/request/show/547289 Factory / icinga
https://build.opensuse.org/request/show/547290 42.2+42.3 / icinga
https://build.opensuse.org/request/show/547295 42.2+42.3 / icinga
Comment 6 Bernhard Wiedemann 2017-12-02 01:40:32 UTC 
This is an autogenerated message for OBS integration:
This bug (952777) was mentioned in
https://build.opensuse.org/request/show/547320 42.2+42.3 / icinga
https://build.opensuse.org/request/show/547321 42.2+42.3 / icinga
https://build.opensuse.org/request/show/547324 Factory / icinga
Comment 7 Swamp Workflow Management 2017-12-19 15:11:00 UTC 
This is an autogenerated message for OBS integration:
This bug (952777) was mentioned in
https://build.opensuse.org/request/show/558566 Factory / icinga
Comment 11 Swamp Workflow Management 2018-10-11 10:40:16 UTC 
This is an autogenerated message for OBS integration:
This bug (952777) was mentioned in
https://build.opensuse.org/request/show/641224 42.2+42.3 / icinga
Comment 14 Swamp Workflow Management 2018-10-19 16:41:29 UTC 
openSUSE-SU-2018:3258-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1011630,1018047,952777,961115
CVE References: CVE-2015-8010,CVE-2016-0726,CVE-2016-10089,CVE-2016-8641
Sources used:
openSUSE Leap 42.3 (src):    icinga-1.14.0-8.3.2
Comment 15 Swamp Workflow Management 2018-11-05 20:09:30 UTC 
SUSE-SU-2018:3620-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1011630,1018047,952777
CVE References: CVE-2015-8010,CVE-2016-10089,CVE-2016-8641
Sources used:
SUSE Manager Tools 12 (src):    icinga-1.13.3-12.3.1
SUSE Enterprise Storage 4 (src):    icinga-1.13.3-12.3.1
Comment 16 Lars Vogdt 2019-06-07 15:52:09 UTC 
Closing -> update released