CVE-2025-30164— Icinga Web 2 has open redirect on login page
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-30164
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Icinga Web 2 has open redirect on login page
Source: NVD (National Vulnerability Database)
Vulnerability Description
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to authenticate), allows to manipulate the backend to redirect the user to any location. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. No known workarounds are available.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
指向未可信站点的URL重定向(开放重定向)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Icinga Web 2 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Icinga Web 2是Icinga开源的一个开源监控和度量解决方案。 Icinga Web 2 2.11.5之前版本和2.12.13之前版本存在输入验证错误漏洞,该漏洞源于可构造URL导致重定向到任意位置。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Icinga | icingaweb2 | < 2.11.5 | - |
II. Public POCs for CVE-2025-30164
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-30164
Please Login to view more intelligence information
- Release Icinga Web Version 2.11.5 · Icinga/icingaweb2 · GitHubx_refsource_MISC
- Release Icinga Web Version 2.12.3 · Icinga/icingaweb2 · GitHubx_refsource_MISC
- Open redirect on login page · Advisory · Icinga/icingaweb2 · GitHubx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2025-30164
Same Patch Batch · Icinga · 2025-03-26 · 6 CVEs total
| CVE-2025-27404 | 7.7 HIGH | Icinga Web 2 DOM-based XSS vulnerability |
| CVE-2025-27405 | 7.7 HIGH | Icinga Web 2 has XSS in embedded content |
| CVE-2025-27406 | 7.7 HIGH | Icinga Reporting Stored XSS leads to SSRF |
| CVE-2025-23203 | 5.5 MEDIUM | Icinga has rest API endpoints accessible to restricted users |
| CVE-2025-27609 | Icinga Web 2 Vulnerable to Reflected XSS |
IV. Related Vulnerabilities
Same product: icingaweb2
- CVE-2025-27609
Icinga Web 2 Vulnerable to Reflected XSS - CVE-2025-27405
Icinga Web 2 has XSS in embedded content - CVE-2025-27404
Icinga Web 2 DOM-based XSS vulnerability - CVE-2022-24714
Disclosure of hosts and related data, linked to decommission - CVE-2022-24715
Arbitrary code execution for authenticated users in Icinga W
Same vendor: Icinga
- CVE-2026-42224
ipl/web is vulnerable to reflected XSS by malformed search r - CVE-2026-24414
Icinga for Windows certificate can have too-open permissions - CVE-2026-24413
Icinga has insecure permission of %ProgramData%\icinga2\var - CVE-2025-61909
Icinga 2 signals sent as root to processes based on PID file - CVE-2025-61908
Icinga 2 Denial of Service (DoS) By Dereferencing Invalid Re
Same weakness: CWE-601
- CVE-2026-42350
Kargo: Open Redirect in UI OIDC Login Flow via redirectTo Qu - CVE-2026-42195
Unvalidated gitlab URL parameter redirects OAuth authorize s - CVE-2026-3318
Multiple vulnerabilities in Cradle e-commerce - CVE-2026-42259
Saltcorn: Open Redirect in `POST /auth/login` due to incompl - CVE-2026-6795
Open Redirect in DivvyDrive Information Technologies' DivvyD
V. Comments for CVE-2025-30164
No comments yet