CVE-2025-27404 — Cross-site Scripting in Icingaweb2

CWE-79 — Cross-site Scripting CWE-787 — Out-of-bounds Write5 documents5 sources

Severity

6.1MEDIUMNVD

CNA7.6

EPSS

0.3%

top 44.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icinga Icingaweb2 Icinga WEB 2

Timeline

PublishedMar 26

Description

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5icinga/icingaweb2< 2.11.5+1

▶NVDicinga/icinga_web_22.12.0 — 2.12.3+1

▶Debianicinga/icingaweb2< 2.12.4-1+1

🔴Vulnerability Details

CVEList

Icinga Web 2 DOM-based XSS vulnerability↗2025-03-26

▶

OSV

CVE-2025-27404: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface↗2025-03-26

▶

📋Vendor Advisories

Debian

CVE-2025-27404: icingaweb2 - Icinga Web 2 is an open source monitoring web interface, framework and command-l...↗2025

▶

Microsoft

FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.↗2022-04-12

▶