Download

Werk #17024: Fix XSS in Crash Report Page

Komponente Setup
Titel Fix XSS in Crash Report Page
Datum 06.06.2024
Level Kleine Änderung
Klasse Sicherheitsfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen
Checkmk versions & editions
2.4.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p7 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p28 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p45 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk, it was possible to inject HTML elements into Crash report URL in the Global settings, leading to an XSS vulnerability in the Crash reports page.

This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.

Affected Versions:

  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.0 (EOL)

Indicators of Compromise:

Check the crash report HTTP URL in the Global settings for suspicious HTML elements.

Vulnerability Management:

We have rated the issue with a CVSS Score of 4.8 Medium with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. and assigned CVE-2024-28832.

Zur Liste aller Werks

Überzeugen Sie sich selbst

Testen Sie Checkmk jetzt.

Raw Edition herunterladen Kostenloses Open-Source-Monitoring
Play with Checkmk Checkmk ohne Installation ausprobieren