JavaScript Injection Vulnerability in Icinga Web 2 by Icinga
CVE-2025-27609

1.1LOW

Key Information:

Vendor

Icinga

Status
Icingaweb2
Vendor
CVE Published:
26 March 2025

What is CVE-2025-27609?

Icinga Web 2, an open-source monitoring solution, is susceptible to a JavaScript injection vulnerability in versions prior to 2.11.5 and 2.12.3. This flaw allows an attacker to send specially crafted requests that can embed malicious JavaScript into the application, potentially enabling unauthorized actions under the guise of the victim's session. Users are encouraged to upgrade to 2.11.5 or 2.12.3 to mitigate risks. As a temporary measure, enabling a content security policy or using modern browsers with proper CORS implementation can help protect against exploitation.

Affected Version(s)

icingaweb2 < 2.11.5 < 2.11.5

icingaweb2 >= 2.12.0, < 2.12.3 < 2.12.0, 2.12.3

References

https://github.com/Icinga/icingaweb2/security/advisories/...
x_refsource_CONFIRM
https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5
x_refsource_MISC
https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3
x_refsource_MISC

CVSS V4

Score:
1.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.