Icingaweb2
by Icinga
Source repositories
CVEs (15)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-50942 | Med | 0.35 | 5.4 | 0.00 | Feb 1, 2026 | Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading… | ||
| CVE-2022-24716 | 0.10 | — | 0.89 | Mar 8, 2022 | Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This… | |||
| CVE-2022-24715 | 0.04 | — | 0.15 | Mar 8, 2022 | Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved… | |||
| CVE-2025-30164 | 0.00 | — | 0.00 | Mar 26, 2025 | Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to… | |||
| CVE-2025-27609 | 0.00 | — | 0.00 | Mar 26, 2025 | Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into… | |||
| CVE-2025-27405 | 0.00 | — | 0.00 | Mar 26, 2025 | Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to… | |||
| CVE-2025-27404 | 0.00 | — | 0.01 | Mar 26, 2025 | Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to… | |||
| CVE-2022-24714 | 0.00 | — | 0.01 | Mar 8, 2022 | Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with… | |||
| CVE-2021-32747 | 0.00 | — | 0.01 | Jul 12, 2021 | Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration… | |||
| CVE-2021-32746 | 0.00 | — | 0.01 | Jul 12, 2021 | Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need… | |||
| CVE-2018-18249 | 0.00 | — | 0.01 | Dec 17, 2018 | Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or… | |||
| CVE-2018-18246 | 0.00 | — | 0.00 | Dec 17, 2018 | Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module. | |||
| CVE-2018-18250 | 0.00 | — | 0.01 | Dec 17, 2018 | Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as the Name of a Navigation item. | |||
| CVE-2018-18247 | 0.00 | — | 0.01 | Dec 17, 2018 | Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter. | |||
| CVE-2018-18248 | 0.00 | — | 0.01 | Dec 17, 2018 | Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string. |
- risk 0.35cvss 5.4epss 0.00
Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading…
- CVE-2022-24716Mar 8, 2022risk 0.10cvss —epss 0.89
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This…
- CVE-2022-24715Mar 8, 2022risk 0.04cvss —epss 0.15
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved…
- CVE-2025-30164Mar 26, 2025risk 0.00cvss —epss 0.00
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to…
- CVE-2025-27609Mar 26, 2025risk 0.00cvss —epss 0.00
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into…
- CVE-2025-27405Mar 26, 2025risk 0.00cvss —epss 0.00
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to…
- CVE-2025-27404Mar 26, 2025risk 0.00cvss —epss 0.01
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to…
- CVE-2022-24714Mar 8, 2022risk 0.00cvss —epss 0.01
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with…
- CVE-2021-32747Jul 12, 2021risk 0.00cvss —epss 0.01
Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration…
- CVE-2021-32746Jul 12, 2021risk 0.00cvss —epss 0.01
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need…
- CVE-2018-18249Dec 17, 2018risk 0.00cvss —epss 0.01
Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or…
- CVE-2018-18246Dec 17, 2018risk 0.00cvss —epss 0.00
Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module.
- CVE-2018-18250Dec 17, 2018risk 0.00cvss —epss 0.01
Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as the Name of a Navigation item.
- CVE-2018-18247Dec 17, 2018risk 0.00cvss —epss 0.01
Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter.
- CVE-2018-18248Dec 17, 2018risk 0.00cvss —epss 0.01
Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string.