CVE-2025-27609 — Cross-site Scripting in Icingaweb2

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

1.1LOWNVD

EPSS

0.2%

top 55.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icinga Icingaweb2 Icinga WEB 2

Timeline

PublishedMar 26

Description

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application …

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

▶CVEListV5icinga/icingaweb2< 2.11.5+1

▶NVDicinga/icinga_web_22.12.0 — 2.12.3+1

▶Debianicinga/icingaweb2< 2.12.4-1+1

🔴Vulnerability Details

CVEList

Icinga Web 2 Vulnerable to Reflected XSS↗2025-03-26

▶

OSV

CVE-2025-27609: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface↗2025-03-26

▶

📋Vendor Advisories

Debian

CVE-2025-27609: icingaweb2 - Icinga Web 2 is an open source monitoring web interface, framework and command-l...↗2025

▶