CVE-2025-27609 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-27609 Interim 1 2 2025-08-05T23:27:45Z current 2025-03-28T00:12:33Z 2025-08-05T23:27:45Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-27609 Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Tumbleweed icingacli-2.12.4-1.1 icingaweb2-2.12.4-1.1 icingaweb2-common-2.12.4-1.1 icingaweb2-php-fpm-2.12.4-1.1 php-icinga-2.12.4-1.1 icingacli-2.12.4-1.1 as a component of openSUSE Tumbleweed icingaweb2-2.12.4-1.1 as a component of openSUSE Tumbleweed icingaweb2-common-2.12.4-1.1 as a component of openSUSE Tumbleweed icingaweb2-php-fpm-2.12.4-1.1 as a component of openSUSE Tumbleweed php-icinga-2.12.4-1.1 as a component of openSUSE Tumbleweed Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability. CVE-2025-27609 openSUSE Tumbleweed:icingacli-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-common-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-php-fpm-2.12.4-1.1 openSUSE Tumbleweed:php-icinga-2.12.4-1.1 moderate 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N