CVE-2025-27405

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-27405
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27405.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-27405
Aliases
  • GHSA-3x37-fjc3-ch8w
Related
Published
2025-03-26T16:15:22Z
Modified
2025-03-31T05:52:52.770560Z
Downstream
Summary
[none]
Details

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.

References

Affected packages

Debian:11 / icingaweb2

Package

Name
icingaweb2
Purl
pkg:deb/debian/icingaweb2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.8.2-2
2.8.3-1~exp1
2.8.4-1~exp1
2.8.4-1
2.8.5-1
2.9.3-1~exp1
2.9.3-1
2.9.4-1
2.9.5-1
2.9.6-1
2.10.0-1~exp1
2.10.1-1
2.10.2-1
2.11.0-1
2.11.0-2
2.11.0-3
2.11.0-4
2.11.1-1
2.11.2-1
2.11.2-2
2.11.3-1
2.11.4-1
2.11.4-2
2.11.4-3
2.12.0-1~exp1
2.12.0-1
2.12.1-1
2.12.2-1
2.12.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / icingaweb2

Package

Name
icingaweb2
Purl
pkg:deb/debian/icingaweb2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.11.4-2
2.11.4-2+deb12u1
2.11.4-3
2.12.0-1~exp1
2.12.0-1
2.12.1-1
2.12.2-1
2.12.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / icingaweb2

Package

Name
icingaweb2
Purl
pkg:deb/debian/icingaweb2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.4-1

Affected versions

2.*

2.11.4-2
2.11.4-3
2.12.0-1~exp1
2.12.0-1
2.12.1-1
2.12.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}