The vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing.
Version 0.13.1 includes a fix for this. It will be published as part of icinga-php-library version 0.19.2.
Enable the Content-Security-Policy (CSP) in the general configuration of Icinga Web available since version 2.12.0.
None
0.13.1Exploitability
AV:NAC:HPR:HUI:RScope
S:CImpact
C:HI:HA:H7.6/CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H