PT-2025-12974 · Icinga+2 · Icinga Web 2+2
Moezbouzayani9
·
Published
2025-03-26
·
Updated
2025-08-21
·
CVE-2025-27609
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Icinga Web 2 versions prior to 2.11.5
Icinga Web 2 versions prior to 2.12.13
Description
A vulnerability in Icinga Web 2 allows an attacker to craft a request that embeds arbitrary Javascript into the interface, enabling them to act on behalf of a user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. Modern browsers with a working CORS implementation sufficiently guard against the vulnerability.
Recommendations
For versions prior to 2.11.5, update to version 2.11.5 or later.
For versions prior to 2.12.13, update to version 2.12.3 or later.
As a temporary workaround for version 2.12.2, enable a content security policy in the application settings.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Debian
Icinga Web 2