Werk #11747: Fix stored XSS triggered by received syslog messages
Component | Event Console |
Title | Fix stored XSS triggered by received syslog messages |
Date | Dec 3, 2020 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk Version | 1.6.0p20 2.0.0b2 2.1.0b1 |
Level | Prominent Change |
Class | Security Fix |
Compatibility | Compatible - no manual interaction needed |
You are only affected by this issue in case you use the Event Console.
An attacker could send messages to the Event Console, e.g. via syslog, containing arbitrary HTML code. This was executed in the browser context of any user viewing the event in the Checkmk user interface.
The information is now properly escaped in a generic way to prevent these issues.