With GET in browser on the following link, the "director" dashlet is instantly removed from the "Current Incidents" pane:
http://10.27.0.95/icingaweb2/dashboard?pane=Current%20Incidents&remove=director
No confirmation. No CSRF protection. See DashboardController.php:324.
Opening an issue instead of a GHSA as
- I wasn't able to weaponize this due to browsers defaulting cookies to SameSite=Lax
- I was told offline this is not an actual security hole
- the attacher still has to guess pane/dashlet names
- the attacher can't inject new stuff
With GET in browser on the following link, the "director" dashlet is instantly removed from the "Current Incidents" pane:
http://10.27.0.95/icingaweb2/dashboard?pane=Current%20Incidents&remove=director
No confirmation. No CSRF protection. See DashboardController.php:324.
Opening an issue instead of a GHSA as