Werk #11747: Fix stored XSS triggered by received syslog messages

Component

Event Console

Title

Fix stored XSS triggered by received syslog messages

Date

Dec 3, 2020

Level

Prominent Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

2.1.0b1	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0b2	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.6.0p20	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

You are only affected by this issue in case you use the Event Console.

An attacker could send messages to the Event Console, e.g. via syslog, containing arbitrary HTML code. This was executed in the browser context of any user viewing the event in the Checkmk user interface.

The information is now properly escaped in a generic way to prevent these issues.

To the list of all Werks