Icinga Web 2
CVE-2025-27404
HIGH
Severity by source
AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
AnalysisAI
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Affected products include: Icinga Icinga Web 2. Version information: prior to 2.11.5.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Icinga Web 2
View allIcinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker
Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as
Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module
Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string,
Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter. Rated medium severity (CVSS 5.4), t
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated medium severity (CV
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated medium severity (CV
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated low severity (CVSS
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today