Update (2025-03-26 16:45:00 UTC)
We released a hotfix release for Icinga Web 2.11 and 2.12 afterwards. Please install 2.11.6 and 2.12.4, respectively.
—
Today we release three updates, each for an integral component of Icinga, which all close a total of five security vulnerabilities. The updated components are:
- Icinga Web v2.12.3 and v2.11.5
- Icinga Director 1.11.4 and 1.10.4
- Icinga Reporting 1.0.3
If you use any of those, and I suspect most of you use all three, upgrade immediately!
Closed Vulnerabilities
Icinga Web
Cross site scripting is one of the worst attacks on web based platforms. Especially, if carrying it out is as easy as the first two mentioned here. You might recognize the open redirect on the login. You are correct, we attempted to fix it already with v2.11.3 but underestimated PHP’s quirks. The last is difficult to exploit, hence the lowest severity of all, but don’t be fooled by that!
- XSS in embedded content CVE-2025-27405
- DOM-based XSS CVE-2025-27404
- Open redirect on login page CVE-2025-30164
- Reflected XSS CVE-2025-27609
Icinga Director
Here we don’t verify a user’s authorization correctly. The Icinga Director provides a REST API of which some endpoints allow a user to retrieve information they would otherwise not have access to. But only, by requesting information about specific items. So at least an identifier is required. It’s also not just any user, only who has access to the Director and its REST API, can exploit this.
- Rest API endpoints accessible to restricted users CVE-2025-23203
Icinga Reporting
Another cross site scripting vulnerability. It is about templates, but twofold. Opening a malicious template shows you a preview in your current web session and might trigger code execution. But if a report is exported and transmitted to the headless browser, code execution happens on the server. Upgrade, and only then check your templates! Look for suspicious settings.
- Stored XSS leads to SSRF CVE-2025-27406
General Release Notes
Icinga Web v2.12.3
You can find all issues related to this release on our roadmap.
Did you know, that we started Icinga Notifications with support for PostgreSQL first? Reason for that is, we wanted to make sure we are fully compatible with it right away. To ensure things like logging in with a PostgreSQL authentication/group backend is case-insensitive, like it was always the case for MySQL. Now it really is case-insensitive! There are also two issues fixed, which many of you will probably have noticed since v2.12.2, sorry that it took so long 🙂
- Login against Postgres DB is case-sensitive #5223
- Role list has no functioning quick search #5300
- After clicking on Check now, the page does not refresh itself #5293
- Service States display wrong since update to 2.12.2 #5290
Icinga Director v1.11.4
You can find all issues related to this release on our roadmap.
- Fix editing of custom variables for multi-selected objects #2950
- Fix: Check for the existence of service templates to add services #1249
- Fix erratic job behavior during summer and winter time change (no issue)
- Fix custom variable renderer for service apply for rules (no issue)
- Fix custom variable renderer for array type data lists #2960
- Fix MySQL 8.4 nonstandard foreign keys deprecation #2885
Icinga Reporting v1.0.3
You can find all issues related to this release on our roadmap.