Werk #17026: Fix XSS in view page with SLA column

Component Setup
Title Fix XSS in view page with SLA column
Date Aug 15, 2024
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p14 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p33 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p48 Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML in the view page without proper escaping, leading to a potential XSS vulnerability.

Affected Versions:

  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.0 (EOL)

Indicators of Compromise:

Cloning the view page of untrusted users who have injected HTML into the SLA titles.

Vulnerability Management:

We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N, and assigned CVE-2024-38859.

To the list of all Werks