Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability.
History

Fri, 01 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Icinga
Icinga icinga Web 2
CPEs cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*
Vendors & Products Icinga
Icinga icinga Web 2
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}


Wed, 26 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 26 Mar 2025 16:30:00 +0000

Type Values Removed Values Added
Description Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability.
Title Icinga Web 2 Vulnerable to Reflected XSS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 1.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-03-26T16:10:19.223Z

Updated: 2025-03-26T18:05:36.741Z

Reserved: 2025-03-03T15:10:34.079Z

Link: CVE-2025-27609

cve-icon Vulnrichment

Updated: 2025-03-26T17:12:02.525Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-26T17:15:25.877

Modified: 2025-08-01T15:11:44.517

Link: CVE-2025-27609

cve-icon Redhat

No data.