What is the severity of CVE-2024-24819?

CVE-2024-24819 has a moderate severity rating due to its potential for cross-site request forgery (CSRF) exploits.

How do I fix CVE-2024-24819?

To fix CVE-2024-24819, you should upgrade to the latest version of the icingaweb2-module-incubator that is above 0.22.0.

What is the impact of CVE-2024-24819 on my system?

CVE-2024-24819 can allow attackers to perform actions on behalf of authenticated users without their consent.

Which versions of icingaweb2-module-incubator are affected by CVE-2024-24819?

Versions of icingaweb2-module-incubator prior to 0.22.0 are affected by CVE-2024-24819.

Does CVE-2024-24819 include any mitigations?

CVE-2024-24819 does not provide built-in mitigations for impacted versions, making upgrades essential.

Vulnerability/
CVE-2024-24819

high

8.8

CWE

352

EPSS

0.055%

9/2/2024

1/8/2024

CVE-2024-24819: icingaweb2-module-incubator base implementation for HTML forms is susceptible to CSRF

First published: Fri Feb 09 2024(Updated: )

icingaweb2-module-incubator is a working project of bleeding edge Icinga Web 2 libraries. In affected versions the class `gipfl\Web\Form` is the base for various concrete form implementations [1] and provides protection against cross site request forgery (CSRF) by default. This is done by automatically adding an element with a CSRF token to any form, unless explicitly disabled, but even if enabled, the CSRF token (sent during a client's submission of a form relying on it) is not validated. This enables attackers to perform changes on behalf of a user which, unknowingly, interacts with a prepared link or website. The version 0.22.0 is available to remedy this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Icinga	<0.22.0

Remedy

https://github.com/Icinga/icingaweb2-module-incubator/commit/db7dc49585fee0b4e96be666d7f6009a74a1ccb5

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-24819?
CVE-2024-24819 has a moderate severity rating due to its potential for cross-site request forgery (CSRF) exploits.
How do I fix CVE-2024-24819?
To fix CVE-2024-24819, you should upgrade to the latest version of the icingaweb2-module-incubator that is above 0.22.0.
What is the impact of CVE-2024-24819 on my system?
CVE-2024-24819 can allow attackers to perform actions on behalf of authenticated users without their consent.
Which versions of icingaweb2-module-incubator are affected by CVE-2024-24819?
Versions of icingaweb2-module-incubator prior to 0.22.0 are affected by CVE-2024-24819.
Does CVE-2024-24819 include any mitigations?
CVE-2024-24819 does not provide built-in mitigations for impacted versions, making upgrades essential.

agent/title
agent/weakness
agent/references
agent/first-publish-date
agent/description
agent/type
agent/author
agent/event
agent/remedy
agent/severity
agent/softwarecombine
collector/epss-latest
source/FIRST
agent/epss
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/icinga
canonical/icinga

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.