CVE-2025-27404
Published: 26 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-27404 is a cross-site scripting (XSS) vulnerability (CWE-79) affecting Icinga Web 2, an open source monitoring web interface, framework, and command-line interface. Versions prior to 2.11.5 and 2.12.13 are vulnerable, enabling an attacker to craft a malicious URL that embeds arbitrary JavaScript into the Icinga Web interface when visited by any user. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H) and was published on 2025-03-26.
An attacker with high privileges can exploit this issue over the network by tricking any user into visiting the crafted URL, which requires user interaction and involves high attack complexity. Successful exploitation allows the embedded JavaScript to execute in the context of the victim's session, enabling the attacker to act on behalf of that user and potentially achieve high confidentiality, integrity, and availability impacts across the changed scope.
Mitigation is available through upgrading to Icinga Web 2 versions 2.11.5 or 2.12.3, which resolve the issue. For installations on version 2.12.2, a workaround exists by enabling a content security policy in the application settings. Additional details are provided in the Icinga security advisory (GHSA-c6pg-h955-wf66) and release notes for the patched versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability in the public-facing Icinga Web 2 application directly enables injection of arbitrary JavaScript that executes in the victim's authenticated browser session.