{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27405", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-24T15:51:17.267Z", "datePublished": "2025-03-26T15:10:10.288Z", "dateUpdated": "2025-03-26T15:57:52.238Z"}, "containers": {"cna": {"title": "Icinga Web 2 has XSS in embedded content", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w"}, {"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5"}, {"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3"}], "affected": [{"vendor": "Icinga", "product": "icingaweb2", "versions": [{"version": "< 2.11.5", "status": "affected"}, {"version": ">= 2.12.0, < 2.12.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-26T15:10:10.288Z"}, "descriptions": [{"lang": "en", "value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings."}], "source": {"advisory": "GHSA-3x37-fjc3-ch8w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-26T15:32:25.389310Z", "id": "CVE-2025-27405", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-26T15:57:52.238Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27405", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-26T15:32:25.389310Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-26T15:32:37.161Z"}}], "cna": {"title": "Icinga Web 2 has XSS in embedded content", "source": {"advisory": "GHSA-3x37-fjc3-ch8w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Icinga", "product": "icingaweb2", "versions": [{"status": "affected", "version": "< 2.11.5"}, {"status": "affected", "version": ">= 2.12.0, < 2.12.3"}]}], "references": [{"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w", "name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5", "name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3", "name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-26T15:10:10.288Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27405", "state": "PUBLISHED", "dateUpdated": "2025-03-26T15:57:52.238Z", "dateReserved": "2025-02-24T15:51:17.267Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-26T15:10:10.288Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "60161BE7-EE17-4A2E-8DE5-754492CB1107", "versionEndExcluding": "2.11.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "1137993A-D72D-4EF7-86DC-817F65DEAC3A", "versionEndExcluding": "2.12.3", "versionStartIncluding": "2.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings."}, {"lang": "es", "value": "Icinga Web 2 es una interfaz web, un framework y una interfaz de l\u00ednea de comandos de c\u00f3digo abierto para la monitorizaci\u00f3n. Una vulnerabilidad en versiones anteriores a la 2.11.5 y la 2.12.13 permite a un atacante manipular una URL que, una vez visitada por cualquier usuario, permite incrustar JavaScript arbitrario en Icinga Web y actuar en nombre de dicho usuario. Este problema se ha resuelto en las versiones 2.11.5 y 2.12.3 de Icinga Web 2. Como workaround, quienes tengan Icinga Web 2.12.2 pueden habilitar una pol\u00edtica de seguridad de contenido en la configuraci\u00f3n de la aplicaci\u00f3n."}], "id": "CVE-2025-27405", "lastModified": "2025-08-01T15:15:28.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-26T16:15:22.983", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{}