What's New in Version 2.12.3
Notice: This is a security release. It is recommended to upgrade immediately.
You can find all issues related to this release on our Roadmap.
Vulnerabilities, Closed
Cross site scripting is one of the worst attacks on web based platforms. Especially, if carrying it out is as easy as the first two mentioned here. You might recognize the open redirect on the login. You are correct, we attempted to fix it already with v2.11.3 but underestimated PHP's quirks. The last is difficult to exploit, hence the lowest severity of all, but don't be fooled by that!
All four of them are backported to v2.11.5.
- XSS in embedded content CVE-2025-27405
- DOM-based XSS CVE-2025-27404
- Open redirect on login page CVE-2025-30164
- Reflected XSS CVE-2025-27609
Big thanks to all finders / reporters! 👍
Bugs, Exterminated
Did you know, that we started Icinga Notifications with support for PostgreSQL first? Reason for that is, we wanted to make sure we are fully compatible with it right away. To ensure things like logging in with a PostgreSQL authentication/group backend is case-insensitive, like it was always the case for MySQL. Now it really is case-insensitive! There are also two issues fixed, which many of you will probably have noticed since v2.12.2, sorry that it took so long :)