A successful attack requires the presence of one of the third-party modules supplied with images or icons. Among such modules are Icinga Business Process Modeling, Icinga Director,
Icinga Reporting, Maps Module and Globe Module. By themselves, there are no vulnerabilities in these modules, but they are factors that allow organizing an attack on Icinga Web.
The attack is carried out by sending HTTP GET or POST requests to the handler that performs the return of images, access to which does not require an account. For example, if Icinga Web 2 is available as "/icingaweb2" and the system has a businessprocess module installed in the /usr/share/icingaweb2/modules directory, to read the contents of the /etc/os-release file, you can send a request "GET /icingaweb2/static /img?module_name=businessprocess&file=../../../../../../../etc/os-release".
Source: opennet.ru