Werk #982: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
Komponente | User interface |
Titel | Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C |
Datum | 27.05.2014 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk-Version | 1.2.5i4 |
Level | Bedeutende Änderung |
Klasse | Sicherheitsfix |
Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen |
This fixes the following issue:
The check_mk application is susceptible to reflected XSS attacks. This is mainly the result of inproper output encoding. Reflected XSS can be triggered by sending a malicious URL to a user of the check_mk application. Once the XSS attack is triggered, the attacker has access to the full check_mk (and nagios) application with the access rights of the logged in victim.
The fix applies to the function:
htmllib.py: render_status_icons() actions.py: ajax_action()