Werk #16618: Fix XSS in graph rendering
| Komponente | Setup | ||||
| Titel | Fix XSS in graph rendering | ||||
| Datum | 04.04.2024 | ||||
| Level | Kleine Änderung | ||||
| Klasse | Sicherheitsfix | ||||
| Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen | ||||
| Checkmk versions & editions |
|
Prior to this Werk a service name with html tags lead to cross site scripting in the graph rendering.
We found this vulnerability internally.
Affected Versions:
Only 2.3.0 is affected, older versions are NOT affected.
Vulnerability Management:
We have rated the issue with a CVSS Score of 4.6 (Medium) with the following CVSS vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.
We assigned CVE-2024-2380 to this vulnerability.
Changes:
This Werk changes the encoding engine to use our customized JSON encoder.