CVE-2025-27405: Cross-Site Scripting Vulnerability in Icinga Web 2 Embedded Content
Executive Summary
CVE-2025-27405 is a cross-site scripting (XSS) vulnerability affecting Icinga Web 2, a widely used open-source monitoring web interface. This vulnerability allows an attacker to inject arbitrary JavaScript code into the Icinga Web 2 interface by crafting a malicious URL. If a user clicks on this crafted URL, the injected JavaScript code will execute within their browser session, potentially allowing the attacker to perform actions on behalf of the user, steal sensitive information, or deface the web interface. The vulnerability is classified as requiring high privileges and user interaction, but successful exploitation can lead to complete compromise of confidentiality, integrity, and availability. Patches are available for versions 2.11.5 and 2.12.3. A workaround exists for version 2.12.2 by enabling Content Security Policy (CSP).
Technical Details
The vulnerability resides within the IframeController.php component of Icinga Web 2. Specifically, it stems from insufficient validation and sanitization of the url parameter passed to the indexAction function when rendering content within an iframe.
Affected Systems:
- Icinga Web 2
Affected Versions:
- Versions prior to 2.11.5
- Versions 2.12.0, 2.12.1 and 2.12.2
Vulnerable Component:
application/controllers/IframeController.php
The core issue is that the application was directly embedding the provided URL into an iframe's src attribute without properly escaping or validating it. This allows an attacker to inject JavaScript code via a javascript: URL or by pointing the iframe to a malicious website hosting JavaScript.
Root Cause Analysis
The root cause of CVE-2025-27405 is the lack of proper input validation and output encoding when handling URLs intended for display within iframes. The IframeController in the affected versions of Icinga Web 2 directly uses the user-supplied URL to construct the src attribute of an <iframe> tag. This allows an attacker to inject arbitrary JavaScript code by crafting a malicious URL.
Before the patch, the indexAction function in IframeController.php looked something like this:
<?php
namespace Icinga\Controllers;
use Icinga\Web\Controller;
/**
* Display external or internal links within an iframe
*/
class IframeController extends Controller
{
/**
* Display iframe w/ the given URL
*/
public function indexAction()
{
$this->view->url = $this->params->getRequired('url');
}
}
And the corresponding view script application/views/scripts/iframe/index.phtml would render the iframe like this:
<?php if (! $compact): ?>
<div class="controls">
<?= $tabs ?>
</div>
<?php endif ?>
<div class="iframe-container">
<iframe src="<?= $this->escape($url) ?>" frameborder="no"></iframe>
</div>
The critical line is <iframe src="<?= $this->escape($url) ?>" frameborder="no"></iframe>. While $this->escape() provides some level of protection, it's insufficient to prevent XSS in all cases, especially when dealing with complex URLs or javascript: URLs.
For example, an attacker could craft a URL like this:
https://icingaweb2.example.com/iframe?url=javascript:alert('XSS')
When a user visits this URL, the browser will execute the JavaScript code alert('XSS') within the context of the Icinga Web 2 domain, demonstrating a successful XSS attack.
Patch Analysis
The patch addresses the vulnerability by implementing a mechanism to ensure that only trusted iframe sources are opened. Trust is established by verifying a hash of the URL against the user's session ID, similar to how CSRF tokens are used. This prevents attackers from directly crafting malicious URLs that will be executed within the iframe.
The primary changes are in application/controllers/IframeController.php, library/Icinga/Web/Navigation/Renderer/NavigationItemRenderer.php, public/css/icinga/main.less, and public/js/icinga/events.js.
Here's a detailed breakdown of the changes in application/controllers/IframeController.php:
--- a/application/controllers/IframeController.php
+++ b/application/controllers/IframeController.php
@@ -3,18 +3,108 @@
namespace Icinga\Controllers;
-use Icinga\Web\Controller;
+use Icinga\Web\Session;
+use ipl\Html\BaseHtmlElement;
+use ipl\Html\Html;
+use ipl\Html\HtmlString;
+use ipl\Html\Text;
+use ipl\Web\Compat\CompatController;
+use ipl\Web\Url;
+use ipl\Web\Widget\Icon;
+use ipl\Web\Widget\Tabs;
/**
* Display external or internal links within an iframe
*/
-class IframeController extends Controller
+class IframeController extends CompatController
{
/**
* Display iframe w/ the given URL
*/
- public function indexAction()
+ public function indexAction(): void
{
- $this->view->url = $this->params->getRequired('url');
+ $url = Url::fromPath($this->params->getRequired('url'));
+ $urlHash = $this->getRequest()->getHeader('X-Icinga-URLHash');
+ $expectedHash = hash('sha256', $url->getAbsoluteUrl() . Session::getSession()->getId());
+ $iframeUrl = Url::fromPath('iframe', ['url' => $url->getAbsoluteUrl()]);
+
+ if (! in_array($url->getScheme(), ['http', 'https'], true)) {
+ $this->httpBadRequest('Invalid URL scheme');
+ }
+
+ $this->injectTabs();
+
+ $this->getTabs()->setRefreshUrl($iframeUrl);
+
+ if ($urlHash) {
+ if ($urlHash !== $expectedHash) {
+ $this->httpBadRequest('Invalid URL hash');
+ }
+ } else {
+ $this->addContent(Html::tag('div', ['class' => 'iframe-warning'], [
+ Html::tag('h2', $this->translate('Attention!')),
+ Html::tag('p', ['class' => 'note'], $this->translate(
+ 'You are about to open untrusted content embedded in Icinga Web! Only proceed,'
+ . ' by clicking the link below, if you recognize and trust the source!'
+ )),
+ Html::tag('a', ['data-url-hash' => $expectedHash, 'href' => Html::escape($iframeUrl)], $url),
+ Html::tag('p', ['class' => 'reason'], [
+ new Icon('circle-info'),
+ Text::create($this->translate(
+ 'You see this warning because you do not seem to have followed a link in Icinga Web.'
+ . ' You can bypass this in the future by configuring a navigation item instead.'
+ ))
+ ])
+ ]));
+
+ return;
+ }
+
+ $this->getTabs()->setHash($expectedHash);
+
+ $this->addContent(Html::tag(
+ 'div',
+ ['class' => 'iframe-container'],
+ Html::tag('iframe', [
+ 'src' => $url,
+ 'sandbox' => 'allow-same-origin allow-scripts allow-popups allow-forms',
+ ])
+ ));
+ }
+
+ private function injectTabs(): void
+ {
+ $this->tabs = new class extends Tabs {
+ private $hash;
+
+ public function setHash($hash)
+ {
+ $this->hash = $hash;
+
+ return $this;
+ }
+
+ protected function assemble()
+ {
+ $tabHtml = substr($this->tabs->render(), 34, -5);
+ if ($this->refreshUrl !== null) {
+ $tabHtml = preg_replace(
+ [
+ '/(?<=class="refresh-container-control spinner" href=")([^"]*)/\',
+ '/(\\s)(?=href)/'
+ ],
+ [
+ $this->refreshUrl->getAbsoluteUrl(),
+ ' data-url-hash="' . $this->hash . '" '
+ ],
+ $tabHtml
+ );
+ }
+
+ BaseHtmlElement::add(HtmlString::create($tabHtml));
+ }
+ };
+
+ $this->controls->setTabs($this->tabs);
}
}
Explanation of the Patch:
-
URL Hashing: The patch introduces a mechanism to hash the URL using the user's session ID. This hash is then used to verify the authenticity of the URL.
$expectedHash = hash('sha256', $url->getAbsoluteUrl() . Session::getSession()->getId());- This line calculates the SHA256 hash of the absolute URL concatenated with the user's session ID. This hash serves as a unique identifier for trusted URLs.
-
X-Icinga-URLHash Header: The patch expects a custom HTTP header
X-Icinga-URLHashto be present in the request. This header should contain the calculated hash of the URL.$urlHash = $this->getRequest()->getHeader('X-Icinga-URLHash');- This line retrieves the value of the
X-Icinga-URLHashheader from the HTTP request.
-
Hash Verification: The patch verifies that the
X-Icinga-URLHashheader matches the expected hash. If the hashes don't match, the request is rejected.if ($urlHash) { if ($urlHash !== $expectedHash) { $this->httpBadRequest('Invalid URL hash'); } }- This code block checks if the
X-Icinga-URLHashheader is present and if its value matches the$expectedHash. If they don't match, an HTTP 400 Bad Request error is returned, preventing the iframe from loading.
-
Warning Message: If the
X-Icinga-URLHashheader is missing, the patch displays a warning message to the user, informing them that they are about to open untrusted content. The warning message includes a link that, when clicked, will reload the iframe with the correctX-Icinga-URLHashheader.- This section generates HTML code for a warning message that is displayed when the
X-Icinga-URLHashheader is missing. The message informs the user about the potential risks of opening untrusted content and provides a link to proceed with loading the iframe. The link includes the$expectedHashas adata-url-hashattribute.
- This section generates HTML code for a warning message that is displayed when the
-
Iframe Rendering: If the URL hash is valid, the patch renders the iframe with the provided URL. The
sandboxattribute is used to restrict the capabilities of the iframe, further mitigating the risk of XSS.- This code block generates the HTML code for the iframe. The
srcattribute is set to the provided URL, and thesandboxattribute is used to restrict the capabilities of the iframe. Thesandboxattribute includesallow-same-origin,allow-scripts,allow-popups, andallow-forms, which are necessary for the iframe to function correctly but also introduce some security risks.
- This code block generates the HTML code for the iframe. The
-
Navigation Item Modification: The
NavigationItemRenderer.phpfile is modified to automatically add thedata-url-hashattribute to external links that are opened in iframes. This ensures that theX-Icinga-URLHashheader is included when the user clicks on these links. -
JavaScript Changes: The
events.jsfile is updated to include theX-Icinga-URLHashheader when loading URLs via AJAX. This ensures that the hash is included when the user clicks on links that are loaded dynamically. -
CSS Changes: The
main.lessfile is updated to include styles for the warning message that is displayed when theX-Icinga-URLHashheader is missing.
The changes in application/views/scripts/iframe/index.phtml are simply removing the direct rendering of the URL, as this is now handled within the controller.
--- a/application/views/scripts/iframe/index.phtml
+++ b/application/views/scripts/iframe/index.phtml
@@ -1,8 +0,0 @@
-<?php if (! $compact): ?>
-<div class="controls">
- <?= $tabs ?>
-</div>
-<?php endif ?>
-<div class="iframe-container">
- <iframe src="<?= $this->escape($url) ?>" frameborder="no"></iframe>
-</div>
The changes in library/Icinga/Web/Navigation/Renderer/NavigationItemRenderer.php ensure that the data-url-hash attribute is added to navigation items:
--- a/library/Icinga/Web/Navigation/Renderer/NavigationItemRenderer.php
+++ b/library/Icinga/Web/Navigation/Renderer/NavigationItemRenderer.php
@@ -7,6 +7,7 @@
use Icinga\Exception\ProgrammingError;
use Icinga\Util\StringHelper;
use Icinga\Web\Navigation\NavigationItem;
+use Icinga\Web\Session;
use Icinga\Web\Url;
use Icinga\Web\View;
@@ -190,6 +191,10 @@ public function render(NavigationItem $item = null)
$target = $item->getTarget();
if ($url->isExternal() && (!$target || in_array($target, $this->internalLinkTargets, true))) {
+ $item->setAttribute('data-url-hash', hash(
+ 'sha256',
+ $url->getAbsoluteUrl() . Session::getSession()->getId()
+ ));
$url = Url::fromPath('iframe', array('url' => $url));
}
The changes in public/css/icinga/main.less add styling for the iframe warning:
--- a/public/css/icinga/main.less
+++ b/public/css/icinga/main.less
@@ -282,6 +282,39 @@ a:hover > .icon-cancel {
// Responsive iFrames
+.iframe-warning {
+ h2, p, a {
+ display: block;
+ width: fit-content;
+ font-size: 200%;
+ margin: 0 auto;
+ padding: 1em;
+ }
+
+ h2 {
+ font-size: 1000%;
+ color: @state-warning;
+ }
+
+ .note {
+ background: @gray-lighter;
+ }
+
+ a {
+ text-decoration: underline;
+ }
+
+ .reason {
+ .icon {
+ color: @text-color;
+ }
+
+ font-size: 100%;
+ background: @gray-lightest;
+ color: @text-color-light;
+ }
+}
+
.iframe-container {
position: relative;
height: 0;
Finally, the changes in public/js/icinga/events.js ensure that the X-Icinga-URLHash header is sent with AJAX requests:
--- a/public/js/icinga/events.js
+++ b/public/js/icinga/events.js
@@ -281,6 +281,7 @@
var $eventTarget = $(event.target);\n
var href = $a.attr(\'href\');\n
var linkTarget = $a.attr(\'target\');\n
+ const urlHash = this.dataset.urlHash;\n
var $target;\n
var formerUrl;\n
@@ -391,7 +392,20 @@
}\n
\n
// Load link URL\n
- icinga.loader.loadUrl(href, $target);\n
+ if (urlHash) {\n
+ icinga.loader.loadUrl(\n
+ href,\n
+ $target,\n
+ undefined,\n
+ undefined,\n
+ undefined,\n
+ undefined,\n
+ undefined,\n
+ { "X-Icinga-URLHash": urlHash }\n
+ );\n
+ } else {\n
+ icinga.loader.loadUrl(href, $target);\n
+ }\n
\n
if ($a.closest(\'#menu\').length > 0) {\n
// Menu links should remove all but the first layout column\n
In summary, the patch introduces a robust mechanism to verify the authenticity of URLs before they are loaded into iframes, effectively mitigating the XSS vulnerability.
Exploitation Techniques
An attacker can exploit this vulnerability by crafting a malicious URL that, when visited by a user, executes arbitrary JavaScript code within the user's browser session.
Proof-of-Concept (PoC) Example (Pre-Patch):
-
Craft a malicious URL:
https://icingaweb2.example.com/iframe?url=javascript:alert('XSS') -
Send the URL to a victim: The attacker could send this URL via email, chat, or any other communication channel.
-
Victim clicks the link: When the victim clicks on the link, their browser will navigate to the Icinga Web 2 instance and attempt to load the URL in an iframe.
-
JavaScript Execution: Because the URL starts with
javascript:, the browser will execute the JavaScript codealert('XSS')within the context of the Icinga Web 2 domain. This demonstrates a successful XSS attack.
Attack Scenario:
-
Phishing: An attacker sends a phishing email to an Icinga Web 2 administrator, pretending to be a legitimate user or service. The email contains a link to a malicious URL crafted to exploit CVE-2025-27405.
-
Credential Theft: If the administrator clicks on the link, the injected JavaScript code could steal their session cookie or other sensitive information and send it to the attacker's server.
-
Account Takeover: With the stolen session cookie, the attacker can impersonate the administrator and gain full control of the Icinga Web 2 instance.
-
Data Exfiltration: The attacker can use their access to exfiltrate sensitive monitoring data, such as server configurations, network topologies, and security credentials.
-
System Compromise: The attacker can use their access to compromise the underlying systems being monitored by Icinga Web 2, potentially leading to a widespread security breach.
Real-World Impacts:
- Data Breach: Sensitive monitoring data could be exposed to unauthorized parties.
- System Compromise: Critical systems could be compromised, leading to service disruptions and financial losses.
- Reputation Damage: The organization's reputation could be damaged due to the security breach.
- Compliance Violations: The organization could face fines and penalties for violating data privacy regulations.
Mitigation Strategies
To mitigate the risk of CVE-2025-27405, the following strategies are recommended:
-
Upgrade to the latest version: Upgrade Icinga Web 2 to version 2.11.5 or 2.12.3, which contain the necessary patches to address the vulnerability.
-
Enable Content Security Policy (CSP): If upgrading is not immediately feasible, enable CSP in the application settings. This can help to prevent the execution of arbitrary JavaScript code within the Icinga Web 2 interface. This is the recommended workaround for version 2.12.2.
-
Input Validation and Output Encoding: Ensure that all user-supplied input is properly validated and sanitized before being used in the application. Use appropriate output encoding techniques to prevent XSS attacks.
-
Principle of Least Privilege: Grant users only the minimum level of access required to perform their job duties. This can help to limit the impact of a successful XSS attack.
-
Security Awareness Training: Educate users about the risks of phishing attacks and social engineering. Teach them how to identify malicious URLs and avoid clicking on suspicious links.
-
Regular Security Audits: Conduct regular security audits of the Icinga Web 2 instance to identify and address potential vulnerabilities.
-
Web Application Firewall (WAF): Deploy a WAF to protect the Icinga Web 2 instance from common web attacks, including XSS.
Timeline of Discovery and Disclosure
- 2025-02-24: Vulnerability reported to Icinga security team.
- 2025-03-26: Patches released for versions 2.11.5 and 2.12.3.
- 2025-03-26: Public disclosure of CVE-2025-27405.
References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27405
- GitHub Advisory: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w
- Icinga Web 2 Releases:
- SUSE CVE Database: https://www.suse.com/security/cve/index.html