CVSS: 4.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30164 – Icinga Web 2 has open redirect on login page
https://notcve.org/view.php?id=CVE-2025-30164
26 Mar 2025 — Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to authenticate), allows to manipulate the backend to redirect the user to any location. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. No known workarounds are available. • https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27609 – Icinga Web 2 Vulnerable to Reflected XSS
https://notcve.org/view.php?id=CVE-2025-27609
26 Mar 2025 — Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. An... • https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27406 – Icinga Reporting Stored XSS leads to SSRF
https://notcve.org/view.php?id=CVE-2025-27406
26 Mar 2025 — Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allows to set up a template that allows to embed arbitrary Javascript. This enables the attacker to act on behalf of the user, if the template is being previewed; and act on behalf of the headless browser, if a report using the template is printed to PDF. This issue has been resolved in version 1.0.3 of Icinga Report... • https://github.com/Icinga/icingaweb2-module-reporting/releases/tag/v1.0.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27405 – Icinga Web 2 has XSS in embedded content
https://notcve.org/view.php?id=CVE-2025-27405
26 Mar 2025 — Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. • https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27404 – Icinga Web 2 DOM-based XSS vulnerability
https://notcve.org/view.php?id=CVE-2025-27404
26 Mar 2025 — Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. • https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-23203 – Icinga has rest API endpoints accessible to restricted users
https://notcve.org/view.php?id=CVE-2025-23203
26 Mar 2025 — Icinga Director is an Icinga config deployment tool. A Security vulnerability has been found starting in version 1.0.0 and prior to 1.10.3 and 1.11.3 on several director endpoints of REST API. To reproduce this vulnerability an authenticated user with permission to access the Director is required (plus api access with regard to the api endpoints). And even though some of these Icinga Director users are restricted from accessing certain objects, are able to retrieve information related to them if their name ... • https://github.com/Icinga/icingaweb2-module-director/releases/tag/v1.10.3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24819 – icingaweb2-module-incubator base implementation for HTML forms is susceptible to CSRF
https://notcve.org/view.php?id=CVE-2024-24819
09 Feb 2024 — icingaweb2-module-incubator is a working project of bleeding edge Icinga Web 2 libraries. In affected versions the class `gipfl\Web\Form` is the base for various concrete form implementations [1] and provides protection against cross site request forgery (CSRF) by default. This is done by automatically adding an element with a CSRF token to any form, unless explicitly disabled, but even if enabled, the CSRF token (sent during a client's submission of a form relying on it) is not validated. This enables atta... • https://github.com/Icinga/icingaweb2-module-incubator/commit/db7dc49585fee0b4e96be666d7f6009a74a1ccb5 • CWE-352: Cross-Site Request Forgery (CSRF) •