PT-2025-12970 · Icinga+2 · Icinga Web 2+2
Moreamazingnick
·
Published
2025-03-26
·
Updated
2025-08-21
·
CVE-2025-27405
CVSS v3.1
7.6
High
| Vector | AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Icinga Web 2 versions prior to 2.11.5
Icinga Web 2 versions prior to 2.12.13
Description
A vulnerability in Icinga Web 2 allows an attacker to craft a URL that, once visited by any user, enables the embedding of arbitrary Javascript into Icinga Web and allows the attacker to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2.
Recommendations
For versions prior to 2.11.5, update to version 2.11.5 or later.
For versions prior to 2.12.13, update to version 2.12.3 or later.
As a temporary workaround for those with Icinga Web 2.12.2, enable a content security policy in the application settings.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Debian
Icinga Web 2