icingacli-2.12.4-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:14931-1 Final 1 1 2025-03-26T00:00:00Z current 2025-03-26T00:00:00Z 2025-03-26T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z icingacli-2.12.4-1.1 on GA media These are all security issues fixed in the icingacli-2.12.4-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-14931 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-27404/ SUSE CVE CVE-2025-27404 page https://www.suse.com/security/cve/CVE-2025-27405/ SUSE CVE CVE-2025-27405 page https://www.suse.com/security/cve/CVE-2025-27609/ SUSE CVE CVE-2025-27609 page https://www.suse.com/security/cve/CVE-2025-30164/ SUSE CVE CVE-2025-30164 page openSUSE Tumbleweed icingacli-2.12.4-1.1 icingaweb2-2.12.4-1.1 icingaweb2-common-2.12.4-1.1 icingaweb2-php-fpm-2.12.4-1.1 php-icinga-2.12.4-1.1 icingacli-2.12.4-1.1 as a component of openSUSE Tumbleweed icingaweb2-2.12.4-1.1 as a component of openSUSE Tumbleweed icingaweb2-common-2.12.4-1.1 as a component of openSUSE Tumbleweed icingaweb2-php-fpm-2.12.4-1.1 as a component of openSUSE Tumbleweed php-icinga-2.12.4-1.1 as a component of openSUSE Tumbleweed Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. CVE-2025-27404 openSUSE Tumbleweed:icingacli-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-common-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-php-fpm-2.12.4-1.1 openSUSE Tumbleweed:php-icinga-2.12.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-27404.html CVE-2025-27404 https://bugzilla.suse.com/1240145 SUSE Bug 1240145 Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. CVE-2025-27405 openSUSE Tumbleweed:icingacli-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-common-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-php-fpm-2.12.4-1.1 openSUSE Tumbleweed:php-icinga-2.12.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-27405.html CVE-2025-27405 https://bugzilla.suse.com/1240146 SUSE Bug 1240146 Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability. CVE-2025-27609 openSUSE Tumbleweed:icingacli-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-common-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-php-fpm-2.12.4-1.1 openSUSE Tumbleweed:php-icinga-2.12.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-27609.html CVE-2025-27609 https://bugzilla.suse.com/1240148 SUSE Bug 1240148 Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to authenticate), allows to manipulate the backend to redirect the user to any location. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. No known workarounds are available. CVE-2025-30164 openSUSE Tumbleweed:icingacli-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-common-2.12.4-1.1 openSUSE Tumbleweed:icingaweb2-php-fpm-2.12.4-1.1 openSUSE Tumbleweed:php-icinga-2.12.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-30164.html CVE-2025-30164 https://bugzilla.suse.com/1240149 SUSE Bug 1240149