Werk #4757: Fixed possible reflected XSS in webapi.py
Component | User interface |
Title | Fixed possible reflected XSS in webapi.py |
Date | Jun 14, 2017 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk Version | 1.2.8p27 1.4.0p6 1.5.0i1 |
Level | Prominent Change |
Class | Security Fix |
Compatibility | Compatible - no manual interaction needed |
In the Check_MK 1.4 branch URLs like this could be used for a reflected XSS attack:
http://<test host>/<site>/check_mk/webapi.py?_username=<script>alert("XSS")</script>&_secret=AnythingHere
The error message was interpreted as HTML while it should be a plain text error message. This has been fixed now.