CVE-2025-27405 — Cross-site Scripting in Icingaweb2

CWE-79 — Cross-site Scripting CWE-125 — Out-of-bounds Read5 documents5 sources

Severity

6.1MEDIUMNVD

CNA7.6

EPSS

0.3%

top 44.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icinga Icingaweb2 Icinga WEB 2

Timeline

PublishedMar 26

Description

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5icinga/icingaweb2< 2.11.5+1

▶NVDicinga/icinga_web_22.12.0 — 2.12.3+1

▶Debianicinga/icingaweb2< 2.12.4-1+1

🔴Vulnerability Details

OSV

CVE-2025-27405: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface↗2025-03-26

▶

CVEList

Icinga Web 2 has XSS in embedded content↗2025-03-26

▶

📋Vendor Advisories

Debian

CVE-2025-27405: icingaweb2 - Icinga Web 2 is an open source monitoring web interface, framework and command-l...↗2025

▶

Microsoft

FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.↗2022-04-12

▶