Werk #17025: Fix XSS in confirmation pop-up
Komponente | Setup |
Titel | Fix XSS in confirmation pop-up |
Datum | 10.06.2024 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk-Version | 2.2.0p28 2.3.0p7 2.4.0b1 |
Level | Kleine Änderung |
Klasse | Sicherheitsfix |
Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen |
Prior to this Werk, there was a potential for HTML elements from user inputs to be rendered in certain confirmation pop-ups, leading to an XSS vulnerability.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
Affected Versions:
- 2.3.0
- 2.2.0
Indicators of Compromise:
Injected HTML elements in some specific user input fields with no proper escaping that are displayed in the confirmation pop-up.
Vulnerability Management:
We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
, and assigned CVE-2024-28831
.