CVE-2025-27609

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-27609
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27609.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-27609
Aliases
  • GHSA-5cjw-fwjc-8j38
Related
Published
2025-03-26T17:15:25Z
Modified
2025-03-31T05:52:52.912282Z
Downstream
Summary
[none]
Details

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability.

References

Affected packages

Debian:11 / icingaweb2

Package

Name
icingaweb2
Purl
pkg:deb/debian/icingaweb2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.8.2-2
2.8.3-1~exp1
2.8.4-1~exp1
2.8.4-1
2.8.5-1
2.9.3-1~exp1
2.9.3-1
2.9.4-1
2.9.5-1
2.9.6-1
2.10.0-1~exp1
2.10.1-1
2.10.2-1
2.11.0-1
2.11.0-2
2.11.0-3
2.11.0-4
2.11.1-1
2.11.2-1
2.11.2-2
2.11.3-1
2.11.4-1
2.11.4-2
2.11.4-3
2.12.0-1~exp1
2.12.0-1
2.12.1-1
2.12.2-1
2.12.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / icingaweb2

Package

Name
icingaweb2
Purl
pkg:deb/debian/icingaweb2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.11.4-2
2.11.4-2+deb12u1
2.11.4-3
2.12.0-1~exp1
2.12.0-1
2.12.1-1
2.12.2-1
2.12.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / icingaweb2

Package

Name
icingaweb2
Purl
pkg:deb/debian/icingaweb2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.4-1

Affected versions

2.*

2.11.4-2
2.11.4-3
2.12.0-1~exp1
2.12.0-1
2.12.1-1
2.12.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}