Icinga Web 2
CVE-2025-27609
LOW
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionGitHub Advisory
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability.
AnalysisAI
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated low severity (CVSS 1.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability. Affected products include: Icinga Icinga Web 2. Version information: prior to 2.11.5.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Icinga Web 2
View allIcinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker
Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as
Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module
Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string,
Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter. Rated medium severity (CVSS 5.4), t
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated medium severity (CV
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated medium severity (CV
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today