VYPR

Icingaweb2

by Icinga

Source repositories

CVEs (15)

  • CVE-2022-50942MedFeb 1, 2026
    risk 0.35cvss 5.4epss 0.00

    Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading…

  • CVE-2022-24716Mar 8, 2022
    risk 0.10cvss epss 0.89

    Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This…

  • CVE-2022-24715Mar 8, 2022
    risk 0.04cvss epss 0.15

    Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved…

  • CVE-2025-30164Mar 26, 2025
    risk 0.00cvss epss 0.00

    Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to…

  • CVE-2025-27609Mar 26, 2025
    risk 0.00cvss epss 0.00

    Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into…

  • CVE-2025-27405Mar 26, 2025
    risk 0.00cvss epss 0.00

    Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to…

  • CVE-2025-27404Mar 26, 2025
    risk 0.00cvss epss 0.01

    Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to…

  • CVE-2022-24714Mar 8, 2022
    risk 0.00cvss epss 0.01

    Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with…

  • CVE-2021-32747Jul 12, 2021
    risk 0.00cvss epss 0.01

    Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration…

  • CVE-2021-32746Jul 12, 2021
    risk 0.00cvss epss 0.01

    Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need…

  • CVE-2018-18249Dec 17, 2018
    risk 0.00cvss epss 0.01

    Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or…

  • CVE-2018-18246Dec 17, 2018
    risk 0.00cvss epss 0.00

    Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module.

  • CVE-2018-18250Dec 17, 2018
    risk 0.00cvss epss 0.01

    Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as the Name of a Navigation item.

  • CVE-2018-18247Dec 17, 2018
    risk 0.00cvss epss 0.01

    Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter.

  • CVE-2018-18248Dec 17, 2018
    risk 0.00cvss epss 0.01

    Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string.