CVE-2025-27404

Published: Mar 26, 2025Modified: Aug 1, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.

Affected (2)

Products: Icinga: Icinga Web 2

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Icinga Icinga Web 2	Before 2.11.5
Icinga Icinga Web 2	From 2.12.0 to 2.12.3

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5

Source: security-advisories@github.com

Release Notes

https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3

Source: security-advisories@github.com

Release Notes

https://github.com/Icinga/icingaweb2/security/advisories/GHSA-c6pg-h955-wf66

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.