Download

Werk #17025: Fix XSS in confirmation pop-up

Komponente Setup
Titel Fix XSS in confirmation pop-up
Datum 10.06.2024
Level Kleine Änderung
Klasse Sicherheitsfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen
Checkmk versions & editions
2.4.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p7 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p28 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Prior to this Werk, there was a potential for HTML elements from user inputs to be rendered in certain confirmation pop-ups, leading to an XSS vulnerability.

This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.

Affected Versions:

  • 2.3.0
  • 2.2.0

Indicators of Compromise:

Injected HTML elements in some specific user input fields with no proper escaping that are displayed in the confirmation pop-up.

Vulnerability Management:

We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and assigned CVE-2024-28831.

Zur Liste aller Werks

Überzeugen Sie sich selbst

Testen Sie Checkmk jetzt.

Raw Edition herunterladen Kostenloses Open-Source-Monitoring
Play with Checkmk Checkmk ohne Installation ausprobieren