Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
History

Fri, 01 Aug 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Icinga
Icinga icinga Web 2
CPEs cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*
Vendors & Products Icinga
Icinga icinga Web 2

Wed, 26 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 26 Mar 2025 15:30:00 +0000

Type Values Removed Values Added
Description Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
Title Icinga Web 2 has XSS in embedded content
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-03-26T15:10:10.288Z

Updated: 2025-03-26T15:57:52.238Z

Reserved: 2025-02-24T15:51:17.267Z

Link: CVE-2025-27405

cve-icon Vulnrichment

Updated: 2025-03-26T15:32:37.161Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-26T16:15:22.983

Modified: 2025-08-01T15:15:28.260

Link: CVE-2025-27405

cve-icon Redhat

No data.