PT-2025-12972 · Icinga+1 · Icinga Reporting+1

Published

2025-03-26

Updated

2025-03-27

CVE-2025-27406

CVSS v3.1

7.6

High

Vector

AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Icinga Reporting versions 0.10.0 through 1.0.2

Description A vulnerability in Icinga Reporting allows an attacker to embed arbitrary Javascript in a template. This enables the attacker to act on behalf of the user when the template is previewed, and on behalf of the headless browser when a report using the template is printed to PDF.

Recommendations For versions 0.10.0 through 1.0.2, review all templates and remove suspicious settings as a temporary workaround. Update to version 1.0.3 to resolve the issue.

Exploit

Fix

SSRF

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918CWE-79

Related Identifiers

CVE-2025-27406

GHSA-7QVQ-54VM-R7HX

Affected Products

Debian

Icinga Reporting

PT-2025-12972 · Icinga+1 · Icinga Reporting+1

CVE-2025-27406

Weakness Enumeration

Related Identifiers

Affected Products

References · 14