CVSS: 4.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30164 – Icinga Web 2 has open redirect on login page
https://notcve.org/view.php?id=CVE-2025-30164
26 Mar 2025 — Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to authenticate), allows to manipulate the backend to redirect the user to any location. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. No known workarounds are available. • https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27609 – Icinga Web 2 Vulnerable to Reflected XSS
https://notcve.org/view.php?id=CVE-2025-27609
26 Mar 2025 — Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. An... • https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27406 – Icinga Reporting Stored XSS leads to SSRF
https://notcve.org/view.php?id=CVE-2025-27406
26 Mar 2025 — Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allows to set up a template that allows to embed arbitrary Javascript. This enables the attacker to act on behalf of the user, if the template is being previewed; and act on behalf of the headless browser, if a report using the template is printed to PDF. This issue has been resolved in version 1.0.3 of Icinga Report... • https://github.com/Icinga/icingaweb2-module-reporting/releases/tag/v1.0.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27405 – Icinga Web 2 has XSS in embedded content
https://notcve.org/view.php?id=CVE-2025-27405
26 Mar 2025 — Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. • https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27404 – Icinga Web 2 DOM-based XSS vulnerability
https://notcve.org/view.php?id=CVE-2025-27404
26 Mar 2025 — Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. • https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-23203 – Icinga has rest API endpoints accessible to restricted users
https://notcve.org/view.php?id=CVE-2025-23203
26 Mar 2025 — Icinga Director is an Icinga config deployment tool. A Security vulnerability has been found starting in version 1.0.0 and prior to 1.10.3 and 1.11.3 on several director endpoints of REST API. To reproduce this vulnerability an authenticated user with permission to access the Director is required (plus api access with regard to the api endpoints). And even though some of these Icinga Director users are restricted from accessing certain objects, are able to retrieve information related to them if their name ... • https://github.com/Icinga/icingaweb2-module-director/releases/tag/v1.10.3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 15%CPEs: 4EXPL: 1CVE-2024-49369 – Icinga 2 has a TLS Certificate Validation Bypass for JSON-RPC and HTTP API Connections
https://notcve.org/view.php?id=CVE-2024-49369
12 Nov 2024 — Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.1... • https://github.com/Quantum-Sicarius/CVE-2024-49369 • CWE-295: Improper Certificate Validation •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41811 – ipl/web susceptible to Cross-Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2024-41811
05 Aug 2024 — ipl/web is a set of common web components for php projects. Some of the recent development by Icinga is, under certain circumstances, susceptible to cross site request forgery. (CSRF). All affected products, in any version, will be unaffected by this once `icinga-php-library` is upgraded. Version 0.10.1 includes a fix for this. • https://github.com/Icinga/ipl-web/commit/492336fdb57a5bb0881ed642ab36f5841337571e • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24819 – icingaweb2-module-incubator base implementation for HTML forms is susceptible to CSRF
https://notcve.org/view.php?id=CVE-2024-24819
09 Feb 2024 — icingaweb2-module-incubator is a working project of bleeding edge Icinga Web 2 libraries. In affected versions the class `gipfl\Web\Form` is the base for various concrete form implementations [1] and provides protection against cross site request forgery (CSRF) by default. This is done by automatically adding an element with a CSRF token to any form, unless explicitly disabled, but even if enabled, the CSRF token (sent during a client's submission of a form relying on it) is not validated. This enables atta... • https://github.com/Icinga/icingaweb2-module-incubator/commit/db7dc49585fee0b4e96be666d7f6009a74a1ccb5 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.7EPSS: 0%CPEs: 4EXPL: 1CVE-2024-24820 – Icinga Director configuration is susceptible to Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2024-24820
09 Feb 2024 — Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as ... • https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide • CWE-352: Cross-Site Request Forgery (CSRF) •