CVE-2025-27609

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5	Release Notes
https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3	Release Notes
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5cjw-fwjc-8j38	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:icinga:icinga_web_2::::::::
	cpe:2.3:a:icinga:icinga_web_2::::::::

History

01 Aug 2025, 15:11

Type	Values Removed	Values Added
CPE		cpe:2.3:a:icinga:icinga_web_2::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
First Time		Icinga icinga Web 2 Icinga
References	~~() https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5 -~~	() https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5 - Release Notes
References	~~() https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3 -~~	() https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3 - Release Notes
References	~~() https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5cjw-fwjc-8j38 -~~	() https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5cjw-fwjc-8j38 - Vendor Advisory

27 Mar 2025, 16:45

Type	Values Removed	Values Added
Summary		(es) Icinga Web 2 es una interfaz web, un framework y una interfaz de línea de comandos de código abierto para la monitorización. Una vulnerabilidad en versiones anteriores a la 2.11.5 y la 2.12.13 permite a un atacante manipular una solicitud que, una vez transmitida al Icinga Web de la víctima, permite incrustar JavaScript arbitrario en él y actuar en nombre de ese usuario. Este problema se ha resuelto en las versiones 2.11.5 y 2.12.3 de Icinga Web 2. Como workaround, quienes tengan Icinga Web 2.12.2 pueden habilitar una política de seguridad de contenido en la configuración de la aplicación. Cualquier navegador moderno con una implementación CORS funcional también ofrece protección suficiente contra esta vulnerabilidad.

26 Mar 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-26 17:15

Updated : 2025-08-01 15:11

NVD link : CVE-2025-27609

Mitre link : CVE-2025-27609

CVE.ORG link : CVE-2025-27609

JSON object : View

Products Affected

icinga

icinga_web_2

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10