CVE-2025-27404

NameCVE-2025-27404
DescriptionIcinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icingaweb2 (PTS)bullseye2.8.2-2vulnerable
bookworm2.11.4-2+deb12u1vulnerable
sid, trixie2.12.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
icingaweb2source(unstable)2.12.4-1

Notes

https://github.com/Icinga/icingaweb2/security/advisories/GHSA-c6pg-h955-wf66

Search for package or bug name: Reporting problems