CVE-2025-27404 (7.7/10): The vulnerability allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. CVE-2025-27405 (7.7/10): The vulnerability allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. CVE-2025-27609 (Low): The vulnerability allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. CVE-2025-30164 (4.1/10): The vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to authenticate), allows to manipulate the backend to redirect the user to any location. Reproducible: Always
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d52a01ad99d612df186247c6c2352b05f179ff9 commit 1d52a01ad99d612df186247c6c2352b05f179ff9 Author: Anton Fischl <github@fischl-online.de> AuthorDate: 2025-04-02 03:47:06 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2025-04-02 04:14:47 +0000 www-apps/icingaweb2: add 2.12.4 Bug: https://bugs.gentoo.org/953033 Signed-off-by: Anton Fischl <github@fischl-online.de> Closes: https://github.com/gentoo/gentoo/pull/41425 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> www-apps/icingaweb2/Manifest | 1 + www-apps/icingaweb2/icingaweb2-2.12.4.ebuild | 77 ++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+)