We use cookies to ensure that we give you the best experience on our website.  Visit our Privacy Policy to learn more. If you continue to use this site, we will assume that you are okay with it.

Your choices regarding cookies on this site.
Your preferences have been updated.
In order for the changes to take effect completely please clear your browser cookies and cache. Then reload the page.

Werk #0982: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C

TitleFix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
Date2014-05-27 11:43:31
Checkmk EditionCheckmk Raw Edition (CRE)
Checkmk Version1.2.5i4
LevelProminent Change
ClassSecurity Fix
CompatibilityCompatible - no manual interaction needed

This fixes the following issue:

The check_mk application is susceptible to reflected XSS attacks. This is mainly the result of inproper output encoding. Reflected XSS can be triggered by sending a malicious URL to a user of the check_mk application. Once the XSS attack is triggered, the attacker has access to the full check_mk (and nagios) application with the access rights of the logged in victim.

The fix applies to the function:

htmllib.py: render_status_icons() actions.py: ajax_action()