Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 953033 - <www-apps/icingaweb2-2.12.3: multiple XSS vulnerabilities (CVE-2025-{27404,27405,27609,30164})
Summary: <www-apps/icingaweb2-2.12.3: multiple XSS vulnerabilities (CVE-2025-{27404,27...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal
Assignee: Gentoo Security
URL: https://icinga.com/blog/icinga-securi...
Whiteboard: B4 [ebuild]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2025-04-02 03:13 UTC by Fischl Anton
Modified: 2025-04-02 07:31 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fischl Anton 2025-04-02 03:13:27 UTC
CVE-2025-27404 (7.7/10): The vulnerability allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user.

CVE-2025-27405 (7.7/10): The vulnerability allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user.

CVE-2025-27609 (Low): The vulnerability allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user.

CVE-2025-30164 (4.1/10): The vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to authenticate), allows to manipulate the backend to redirect the user to any location.


Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2025-04-02 04:15:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d52a01ad99d612df186247c6c2352b05f179ff9

commit 1d52a01ad99d612df186247c6c2352b05f179ff9
Author:     Anton Fischl <github@fischl-online.de>
AuthorDate: 2025-04-02 03:47:06 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2025-04-02 04:14:47 +0000

    www-apps/icingaweb2: add 2.12.4
    
    Bug: https://bugs.gentoo.org/953033
    Signed-off-by: Anton Fischl <github@fischl-online.de>
    Closes: https://github.com/gentoo/gentoo/pull/41425
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 www-apps/icingaweb2/Manifest                 |  1 +
 www-apps/icingaweb2/icingaweb2-2.12.4.ebuild | 77 ++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)