FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Hidden/Protected custom variables are prone to filter enumeration

Affected packages
icingaweb2-module-icingadb-php81 < 1.1.4
1.2 <= icingaweb2-module-icingadb-php81 < 1.2.3,1
icingaweb2-module-icingadb-php82 < 1.1.4
1.2 <= icingaweb2-module-icingadb-php82 < 1.2.3,1
icingaweb2-module-icingadb-php83 < 1.1.4
1.2 <= icingaweb2-module-icingadb-php83 < 1.2.3,1
icingaweb2-module-icingadb-php84 < 1.1.4
1.2 <= icingaweb2-module-icingadb-php84 < 1.2.3,1
icingaweb2-module-icingadb-php85 < 1.1.4
1.2 <= icingaweb2-module-icingadb-php85 < 1.2.3,1

Details

VuXML ID 4553e4b3-addf-11f0-9b8d-40a6b7c3b3b8
Discovery 2025-10-16
Entry 2025-10-20

Icinga reports:

An authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it.

[source]

References

CVE Name CVE-2025-61789
URL https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.