CVE-2025-27405

CVE-2025-27405 is a cross-site scripting (XSS) vulnerability (CWE-79) affecting Icinga Web 2, an open source monitoring web interface, framework, and command-line interface. Versions prior to 2.11.5 and 2.12.13 are vulnerable, enabling an attacker to craft a malicious URL that embeds arbitrary JavaScript into the Icinga Web interface when visited by a user. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).

An attacker with high privileges (PR:H) can exploit this by crafting a URL that requires a user to visit it (UI:R), such as through social engineering like phishing or shared links. Once visited over the network (AV:N), the embedded JavaScript executes in the context of the victim's session, allowing the attacker to act on behalf of that user. This can lead to high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) with elevated scope (S:C), potentially enabling unauthorized actions based on the victim's permissions.

The issue is resolved in Icinga Web 2 versions 2.11.5 and 2.12.3, as detailed in the project's release notes and security advisory (GHSA-3x37-fjc3-ch8w). As a workaround for version 2.12.2, administrators can enable a content security policy in the application settings. Security practitioners should prioritize patching affected installations and review access controls for privileged users.