CVE-2018-18249

Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet.
Configurations

Configuration 1 (hide)

cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-12-17 15:29

Updated : 2024-02-04 20:03


NVD link : CVE-2018-18249

Mitre link : CVE-2018-18249

CVE.ORG link : CVE-2018-18249


JSON object : View

Products Affected

icinga

  • icinga_web_2
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')