cbcvebase.
CVE-2025-27405
published 2025-03-26

CVE-2025-27405: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows…

PriorityP430medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.31%
22.2th percentile
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.

Affected

13 ranges
VendorProductVersion rangeFixed in
debianicingaweb2< icingaweb2 2.12.4-1 (forky)icingaweb2 2.12.4-1 (forky)
icingaicinga_web_2< 2.11.52.11.5
icingaicinga_web_2>= 2.12.0 < 2.12.32.12.3
icingaicingaweb2< 2.11.52.11.5
icingaicingaweb2
icingaicingaweb2>= 0 < 2.12.4-12.12.4-1
icingaicingaweb2>= 0 < 2.12.4-12.12.4-1
msrccbl2_freetype_2.12.1-1_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_freetype_2.12.1-1_on_cbl_mariner_1.0

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian7.6HIGH
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.