{"url":"http://public2.vulnerablecode.io/api/packages/516349?format=json","purl":"pkg:deb/debian/icingaweb2@2.6.2-3%2Bdeb10u1","type":"deb","namespace":"debian","name":"icingaweb2","version":"2.6.2-3+deb10u1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.12.4-2","latest_non_vulnerable_version":"2.12.4-2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/72667?format=json","vulnerability_id":"VCID-6caf-1dxw-83f8","summary":"Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-24368","reference_id":"","reference_type":"","scores":[{"value":"0.01746","scoring_system":"epss","scoring_elements":"0.82885","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01746","scoring_system":"epss","scoring_elements":"0.82912","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01746","scoring_system":"epss","scoring_elements":"0.82911","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01746","scoring_system":"epss","scoring_elements":"0.82908","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01746","scoring_system":"epss","scoring_elements":"0.829","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01746","scoring_system":"epss","scoring_elements":"0.82913","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-24368"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24368","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24368"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968833","reference_id":"968833","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968833"},{"reference_url":"https://security.gentoo.org/glsa/202208-05","reference_id":"GLSA-202208-05","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202208-05"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195476?format=json","purl":"pkg:deb/debian/icingaweb2@2.8.2-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-b2mw-9za7-g7e8"},{"vulnerability":"VCID-bm67-sbq8-cbe6"},{"vulnerability":"VCID-g1mm-4g1n-wfbe"},{"vulnerability":"VCID-ghqe-t14t-tugv"},{"vulnerability":"VCID-mncr-pt4g-nqhe"},{"vulnerability":"VCID-n5ga-rut2-eqbm"},{"vulnerability":"VCID-n5hw-f2zq-8yfa"},{"vulnerability":"VCID-xcy4-yzed-kqd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/icingaweb2@2.8.2-2"}],"aliases":["CVE-2020-24368"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6caf-1dxw-83f8"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/72667?format=json","vulnerability_id":"VCID-6caf-1dxw-83f8","summary":"Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-24368","reference_id":"","reference_type":"","scores":[{"value":"0.01746","scoring_system":"epss","scoring_elements":"0.82885","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01746","scoring_system":"epss","scoring_elements":"0.82912","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01746","scoring_system":"epss","scoring_elements":"0.82911","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01746","scoring_system":"epss","scoring_elements":"0.82908","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01746","scoring_system":"epss","scoring_elements":"0.829","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01746","scoring_system":"epss","scoring_elements":"0.82913","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-24368"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24368","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24368"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968833","reference_id":"968833","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968833"},{"reference_url":"https://security.gentoo.org/glsa/202208-05","reference_id":"GLSA-202208-05","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202208-05"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516349?format=json","purl":"pkg:deb/debian/icingaweb2@2.6.2-3%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6caf-1dxw-83f8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/icingaweb2@2.6.2-3%252Bdeb10u1"},{"url":"http://public2.vulnerablecode.io/api/packages/195476?format=json","purl":"pkg:deb/debian/icingaweb2@2.8.2-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-b2mw-9za7-g7e8"},{"vulnerability":"VCID-bm67-sbq8-cbe6"},{"vulnerability":"VCID-g1mm-4g1n-wfbe"},{"vulnerability":"VCID-ghqe-t14t-tugv"},{"vulnerability":"VCID-mncr-pt4g-nqhe"},{"vulnerability":"VCID-n5ga-rut2-eqbm"},{"vulnerability":"VCID-n5hw-f2zq-8yfa"},{"vulnerability":"VCID-xcy4-yzed-kqd1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/icingaweb2@2.8.2-2"}],"aliases":["CVE-2020-24368"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6caf-1dxw-83f8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/72664?format=json","vulnerability_id":"VCID-br39-2611-2fcy","summary":"Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-18248","reference_id":"","reference_type":"","scores":[{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47432","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47497","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47499","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47481","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47451","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47465","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-18248"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18248","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18248"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516349?format=json","purl":"pkg:deb/debian/icingaweb2@2.6.2-3%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6caf-1dxw-83f8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/icingaweb2@2.6.2-3%252Bdeb10u1"}],"aliases":["CVE-2018-18248"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-br39-2611-2fcy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/72663?format=json","vulnerability_id":"VCID-ef2r-nq5w-k7ht","summary":"Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-18247","reference_id":"","reference_type":"","scores":[{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42771","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42845","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42856","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42833","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42796","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42805","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-18247"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18247","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18247"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516349?format=json","purl":"pkg:deb/debian/icingaweb2@2.6.2-3%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6caf-1dxw-83f8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/icingaweb2@2.6.2-3%252Bdeb10u1"}],"aliases":["CVE-2018-18247"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ef2r-nq5w-k7ht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/72666?format=json","vulnerability_id":"VCID-gbbv-q67c-bugp","summary":"Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as the Name of a Navigation item.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-18250","reference_id":"","reference_type":"","scores":[{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.47058","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.47123","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.47126","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.47107","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.47078","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.47089","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-18250"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18250","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18250"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516349?format=json","purl":"pkg:deb/debian/icingaweb2@2.6.2-3%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6caf-1dxw-83f8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/icingaweb2@2.6.2-3%252Bdeb10u1"}],"aliases":["CVE-2018-18250"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gbbv-q67c-bugp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/72665?format=json","vulnerability_id":"VCID-h7s8-qf6r-effc","summary":"Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-18249","reference_id":"","reference_type":"","scores":[{"value":"0.00513","scoring_system":"epss","scoring_elements":"0.66867","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00513","scoring_system":"epss","scoring_elements":"0.66907","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00513","scoring_system":"epss","scoring_elements":"0.66916","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00513","scoring_system":"epss","scoring_elements":"0.669","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00513","scoring_system":"epss","scoring_elements":"0.66885","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00513","scoring_system":"epss","scoring_elements":"0.66903","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-18249"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18249","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18249"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516349?format=json","purl":"pkg:deb/debian/icingaweb2@2.6.2-3%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6caf-1dxw-83f8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/icingaweb2@2.6.2-3%252Bdeb10u1"}],"aliases":["CVE-2018-18249"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h7s8-qf6r-effc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/72662?format=json","vulnerability_id":"VCID-tsw8-xc41-sfhk","summary":"Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-18246","reference_id":"","reference_type":"","scores":[{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30084","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30157","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30121","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30089","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.3006","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30074","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-18246"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18246","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18246"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516349?format=json","purl":"pkg:deb/debian/icingaweb2@2.6.2-3%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6caf-1dxw-83f8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/icingaweb2@2.6.2-3%252Bdeb10u1"}],"aliases":["CVE-2018-18246"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tsw8-xc41-sfhk"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/icingaweb2@2.6.2-3%252Bdeb10u1"}