Home > Vulnerability Database > CVE-2025-27609

Mend.io Vulnerability Database

CVE-2025-27609

Good to know:

Date: March 26, 2025

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability.

Severity Score

5.4

Related Resources (6)

Url: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5cjw-fwjc-8j38

Url: https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5

Url: https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3

Url: https://security-tracker.debian.org/tracker/CVE-2025-27609

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-27609

Url: https://www.mend.io/vulnerability-database/CVE-2025-27609

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version https://github.com/Icinga/icingaweb2.git - v2.11.5;https://github.com/Icinga/icingaweb2.git - v2.12.3

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-27609

Good to know:

Date: March 26, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?