CVE-2025-27405

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*
cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*

History

01 Aug 2025, 15:15

Type Values Removed Values Added
CPE cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*
First Time Icinga icinga Web 2
Icinga
References () https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5 - () https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5 - Release Notes
References () https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3 - () https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3 - Release Notes
References () https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w - () https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w - Vendor Advisory

27 Mar 2025, 16:45

Type Values Removed Values Added
Summary
  • (es) Icinga Web 2 es una interfaz web, un framework y una interfaz de línea de comandos de código abierto para la monitorización. Una vulnerabilidad en versiones anteriores a la 2.11.5 y la 2.12.13 permite a un atacante manipular una URL que, una vez visitada por cualquier usuario, permite incrustar JavaScript arbitrario en Icinga Web y actuar en nombre de dicho usuario. Este problema se ha resuelto en las versiones 2.11.5 y 2.12.3 de Icinga Web 2. Como workaround, quienes tengan Icinga Web 2.12.2 pueden habilitar una política de seguridad de contenido en la configuración de la aplicación.

26 Mar 2025, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-03-26 16:15

Updated : 2025-08-01 15:15


NVD link : CVE-2025-27405

Mitre link : CVE-2025-27405

CVE.ORG link : CVE-2025-27405


JSON object : View

Products Affected

icinga

  • icinga_web_2
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')